-
-
Save x-yuri/abf90a18895c62f8d4c9e4c0f7a5c188 to your computer and use it in GitHub Desktop.
docker 18.09.6 basic iptables rules with comments
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *nat | |
| :PREROUTING ACCEPT | |
| :INPUT ACCEPT | |
| :OUTPUT ACCEPT | |
| :POSTROUTING ACCEPT | |
| :DOCKER - | |
| # (nat.1) | |
| # when receiving a connection targeting a local address | |
| # from the outside world to 1.1.1.1, | |
| # or from a container to 172.17.0.1, 1.1.1.1 | |
| # jump to the DOCKER chain | |
| -A PREROUTING -m addrtype --dst-type LOCAL | |
| -j DOCKER | |
| # (nat.2) | |
| # when establishing a connection from the host | |
| # to a local address (1.1.1.1, 172.17.0.1), | |
| # jump to the DOCKER chain | |
| -A OUTPUT ! -d 127.0.0.0/8 -m addrtype | |
| --dst-type LOCAL -j DOCKER | |
| # (nat.3) | |
| # when receiving a connection | |
| # from a container to the outside world, | |
| # or establishing from the host to 172.17.0.1 | |
| # do SNAT | |
| -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 | |
| -j MASQUERADE | |
| # (nat.4) | |
| # return if connection is coming from a container | |
| -A DOCKER -i docker0 -j RETURN | |
| # here we're left with connections coming from the outside world to 1.1.1.1, | |
| # and from the host to 1.1.1.1, 172.17.0.1 | |
| # and here's where DNAT rules will be added | |
| *filter | |
| :INPUT ACCEPT | |
| :FORWARD DROP # DROP policy | |
| :OUTPUT ACCEPT | |
| :DOCKER - | |
| :DOCKER-ISOLATION-STAGE-1 - | |
| :DOCKER-ISOLATION-STAGE-2 - | |
| :DOCKER-USER - | |
| # (filter.1) | |
| -A FORWARD -j DOCKER-USER | |
| # (filter.2) | |
| -A FORWARD -j DOCKER-ISOLATION-STAGE-1 | |
| # (filter.3) | |
| # accept established and related connections | |
| # to a container | |
| # from the outside world (in case they are forwarded, none by default), | |
| # or from another container | |
| -A FORWARD -o docker0 -m conntrack | |
| --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| # (filter.4) | |
| # jump to the DOCKER chain | |
| # for packets coming | |
| # to a container | |
| # from the outside world | |
| # or from another container | |
| -A FORWARD -o docker0 -j DOCKER | |
| # (filter.5) | |
| # accept packets coming | |
| # from a container | |
| # to the outside world | |
| -A FORWARD -i docker0 ! -o docker0 -j ACCEPT | |
| # (filter.6) | |
| # accept packets between containers | |
| -A FORWARD -i docker0 -o docker0 -j ACCEPT | |
| # (filter.7) | |
| # jump to DOCKER-ISOLATION-STAGE-2 | |
| # for packets coming | |
| # from a container | |
| # to the outside world | |
| -A DOCKER-ISOLATION-STAGE-1 -i docker0 | |
| ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 | |
| # (filter.8) | |
| -A DOCKER-ISOLATION-STAGE-1 -j RETURN | |
| # (filter.9) | |
| # drop packets coming | |
| # to a container | |
| # from the outside world, | |
| # or from another container | |
| -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP | |
| # (filter.10) | |
| -A DOCKER-ISOLATION-STAGE-2 -j RETURN | |
| # (filter.11) | |
| # placeholder for user rules | |
| # https://docs.docker.com/network/iptables/ | |
| -A DOCKER-USER -j RETURN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment