Score:1

iptables rule not working on docker

gr flag

I have some containers running on different ports such as 80, 9010 and so on. For example:

docker run -d [some other configs] --restart=always -p 9010:443 -p 9010:443/udp xxx/myImage 
#myImage is FROM python:3.6-alpine

I want to prevent all connections from outside of host to 9010. I use many command to restrict it even I write this:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow SSH
iptables -A INPUT -j DROP # Drop eveything else

But it just close ports by native services not services runs by docker. Furthermore, I write some rules for DOCKER-USER chain:

iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP

It also not affected and every time I can telnet to 9010 successfully.

For last try, I disable docker-proxy and enable iptables in /etc/docker/daemon.json:

{
    "userland-proxy": false,
    "iptables": true,
    "ipv6": false
}

But not work. I checked many answers but no one works for me; for example this answer. Docker meet firewall - finally an answer

jabbson avatar
sb flag
`and enable iptables` were they disabled before? In any case, if you have iptables enabled and list all the rules you should be able to trace how the packet is processed to a point where you new rule is. Should it reach the rule? Does it get caught by another rule that ACCEPTs the packet?
Score:0
gr flag

This is my iptables

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:https
ACCEPT     udp  --  anywhere             172.17.0.2           udp dpt:443
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:https
ACCEPT     udp  --  anywhere             172.17.0.4           udp dpt:443
ACCEPT     udp  --  anywhere             172.17.0.3           udp dpt:443
ACCEPT     tcp  --  anywhere             172.17.0.5           tcp dpt:1443
ACCEPT     udp  --  anywhere             172.17.0.5           udp dpt:1443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

For limit incoming packets when using docker we must limit DOCKER chain for example:

iptables -A DOCKER -p tcp -d 172.17.0.3 -j DROP

For limit outgoing packets when using docker we can limit by FORWARD chain like this:

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  172.17.0.3           anywhere             quota: 50000000000 bytes
DROP       all  --  172.17.0.3           anywhere
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere

Score:0
sb flag

You not need iptables to prevent external connections. If you look at the examples for how to expose ports (-p option), we can specify which IP is used to listen for incoming connections. The default is to listen on 0.0.0.0, which means all IPs. If you want to prevent external connections, you can change that behaviour.

For example:

docker run -p 127.0.0.1:80:8080/tcp ubuntu bash 

This binds port 8080 of the container to TCP port 80 on 127.0.0.1 (loopback interface) of the host machine.

Majid Hajibaba avatar
gr flag
Thanks for response. But I don't want to limit by IP. I just need to block all connections in some time and open it in another time. With your response it closes to outside forever.
jabbson avatar
sb flag
if you share your `iptables-save`, `ip a`, `ip r` and the source ip of the requesting host, we can take a look together
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.