Docker Community Forums

Share and learn in the Docker community.

Different iptables rules for every docker network


(Aholody) #1

So I want to specify my iptable rules for every docker network I create but I have no idea how I should handle it. I would like to have a table for every docker network I create and write my rules there to structure everything.

These are the default rules docker have created with a second network I have created.

# Generated by iptables-save v1.6.1 on Mon Sep 10 23:37:48 2018
*nat
:PREROUTING ACCEPT [4:488]
:INPUT ACCEPT [4:488]
:OUTPUT ACCEPT [13:800]
:POSTROUTING ACCEPT [13:800]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.18.0.0/16 ! -o br-0ce737cd1352 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i br-0ce737cd1352 -j RETURN
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Mon Sep 10 23:37:48 2018
   # Generated by iptables-save v1.6.1 on Mon Sep 10 23:37:48 2018
*filter
:INPUT ACCEPT [40:3447]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [38:2896]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-0ce737cd1352 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-0ce737cd1352 -j DOCKER
-A FORWARD -i br-0ce737cd1352 ! -o br-0ce737cd1352 -j ACCEPT
-A FORWARD -i br-0ce737cd1352 -o br-0ce737cd1352 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-0ce737cd1352 ! -o br-0ce737cd1352 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-0ce737cd1352 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Mon Sep 10 23:37:48 2018

My idea so far is to add these rules:

-N DOCKER-NETWORK-BRIDGE           // table for the default bridge network
-N DOCKER-NETWORK-TEST             // table for my created network
-I DOCKER-USER -o docker0 -j DOCKER-NETWORK-BRIDGE
-I DOCKER-USER -o br-0ce737cd1352 -j DOCKER-NETWORK-TEST