tam7t
commented
8 years ago before running docker:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N droplan-peers
-A INPUT -i eth1 -j droplan-peers
-A INPUT -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j DROP
-A droplan-peers -s 10.132.43.16/32 -j ACCEPT
-A droplan-peers -s 10.132.47.239/32 -j ACCEPTafter running docker run --name some-nginx -d -p 8080:80 nginx
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N droplan-peers
-A INPUT -i eth1 -j droplan-peers
-A INPUT -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j DROP
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A droplan-peers -s 10.132.43.16/32 -j ACCEPT
-A droplan-peers -s 10.132.47.239/32 -j ACCEPTThe FORWARD chain results in ACCEPTs since droplan doesn't add DROP chains to FORWARD. Annoyingly, docker seems to prepend its ACCEPT rules on the FORWARD chain.
So far ideas are to run docker with --iptables=false or to add the following rules after docker service startup:
sudo iptables -I FORWARD 1 -i eth1 -j DROP
sudo iptables -I FORWARD 1 -i eth1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I FORWARD 1 -j droplan-peers
michaelfreund
rules applied by droplan seem to be pre-empted by docker iptable rules (at least on coreos)