Iptables – automatic iptables rules inside docker container

dockeriptables

I am trying to set specific iptables rules inside a container but so far i have no luck. So far i tried to enter (exec bash) the container and add manually the rules, then, export the running container to a new image.

When i import the image and start the new container the iptable rules are still not there.

How can i have specific iptables rules when the container is created without having to set them automatically?

I am using docker-CE 19.03.1

The image is a custom debian-strech created using debootstrap.

Best Answer

I managed to implement this by:

1) adding all iptables rules i wish to apply on a bash script .

2) Copy the bash to the container using the Dockerfile

3) Use again Dockerfile to run the iptables bash script within the container.

For example:

iptables script

#!/bin/bash
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -s 10.88.0.0/24  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.88.0.0/24  -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

echo "iptables executed " > /root/iptables_echo

Dockerfile

FROM "openvpn-server:ready"

WORKDIR /etc/openvpn
USER root

COPY iptables.sh /usr/local/bin/iptables.sh
RUN chmod +x /usr/local/bin/iptables.sh && apt-get install iptables
CMD iptables.sh

EXPOSE 443:443/tcp

Related Solutions

Limit Outside Connections to Docker Container with Iptables

Two things to bear in mind when working with docker's firewall rules:

To avoid your rules being clobbered by docker, use the DOCKER-USER chain
Docker does the port-mapping in the PREROUTING chain of the nat table. This happens before the filter rules, so --dest and --dport will see the internal IP and port of the container. To access the original destination, you can use -m conntrack --ctorigdstport.

For example:

iptables -A DOCKER-USER -i eth0 -s 8.8.8.8 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j ACCEPT
iptables -A DOCKER-USER -i eth0 -s 4.4.4.4 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j DROP

NOTE: Without --ctdir ORIGINAL, this would also match the reply packets coming back for a connection from the container to port 3306 on some other server, which is almost certainly not what you want! You don't strictly need this if like me your first rule is -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT, as that will deal with all the reply packets, but it would be safer to still use --ctdir ORIGINAL anyway.

Iptables – Rule-Set for Docker Container to Access Host IP Service

Container communicates with host using docker0 interface. To allow traffic from container add:

-A INPUT -i docker0 -j ACCEPT

Best Answer

Related Solutions

Limit Outside Connections to Docker Container with Iptables

Iptables – Rule-Set for Docker Container to Access Host IP Service

Related Topic