Docker Community Forums

Share and learn in the Docker community.

Add a command for writing the required iptables rules

Docker adds iptables rules when the daemon starts. When a sysadmin or firewall maintenance script flushes iptables, Docker stops working. The only way to get it working again is restarting the Docker daemon, which kills all the running containers. Trying to convince sysadmins to not flush the entire iptables almost never works. Trying to maintain the firewall rules myself seems complicated, brittle and doomed to fail.

I would love to see a command for writing the firewall rules that Docker writes on startup. It sounds (at least to me) like this would be trivial to add, as it wouldn’t require any new functionality. It would just be a command that allows users to manually run a routine that Docker currently runs automatically on startup.

Docker installs two custom iptables chains named DOCKER-USER and DOCKER , and it ensures that incoming packets are always checked by these two chains first.

All of Docker’s iptables rules are added to the DOCKER chain.

source: Docker and iptables | Docker Documentation

First, iptables are old.
Secondly, for sure there is a command with which you can display all iptales rules.
Third, you will not be exempt from creating rules yourself if your containers need any extras.

PS: I’m not familiar with iptables!

I fully expect I might just be stupid here, but I don’t see how your answer has anything to do with my feature request, other than being vaguely Docker- and iptables related. Are you taking the position that you wouldn’t like to see this command implemented?

I only think you don’t know what to do with my answer.
Your questions are welcome!

So i’ve used google for you and here you can find answers:

I have Googled, and I have read that StackOverflow page. There’s nothing in there that isn’t covered by my original question. The recommended way to restore the rules is to restart Docker, the more complicated and brittle way is to back up the rules in a file. Both are terrible solutions compared to a simple command for rewriting the firewall rules. It would basically have the effect of restarting Docker, but without killing all containers.

I have not much to contribute to this feature request.

Though, I can share how I personaly handle this sort of organizational problems.

I handle the problem on the same level it is created :slight_smile:
– I use whatever ticket system the company provides to raise inicident tickets
– I escalate the ticket if operation tries to close it with “works as designed”
Then I escalate it up the chain until it reaches a level where deciders are actualy able to understand that it’s either the admin iptables task OR running services on a container runtime engine (and as such requiring the nodes from beeing exlcluded from the admin task)

Otherwise you will always end up with at least a temporary unavailability of your containerized services. Even if the docker engine introduces a watchdog and re-creates the rules again when removed, there high likely would be a short time span where services wouldn’t be reachable from outside…

You have to think also once around 2 corners!
There is no direct command for this what you want.
If you had looked at stackoverflow and followed the link there, you would have seen which iptables rules are created.
Also, on stackoverflow it says how to save the iptables rules, then you can also look at them.

Obviously, that is what this feature request is for.

This is unnecessarily complicated, and it’s error prone. My understanding is that Docker adds and removes several rules from several different iptables chains whenever you add and remove containers and Docker networks. You make it sound like it’s as simple as creating a iptables rules file and just reloading that file any time iptables is flushed, I don’t think that’s the case.

If I had hooks for before and after iptables gets reset, I could probably write a script that pulls out all the rules from the different chains that Docker needs to work, then load those rules back in after the reset. But that’s so completely unnecessary! Docker already knows how to set up and maintain its iptables rules. It should be so simple to add a command that triggers it, without having to restart the entire Docker daemon.