Docker Community Forums

Share and learn in the Docker community.

Docker Containerization of IPTables Complexity -- Simplification Request

I’m writing this because it feels like what I’m having to do in production with firewalling in front of Docker goes against the overall purpose of containerization. Namely, using iptables or tools like UFW on the host is unpredictable for most users (unless they’re really familiar with docker networking). Wouldn’t we want all of the guides and history of use for a tool as widely used as iptables to apply to system running docker containers? Having our docker services affect our systems this way seems to break the idea of containerization. This seems to be at the level of complexity where maintaining secure docker services becomes an issue.

In short, I want to be more sure of firewall management, like I was when I ran my production software on the host, rather than docker containers. What if, for example, the iptables logic was all kept inside of docker containers? There must be a nice way of simplifying this and keeping host networking more predictable.

Thanks for your consideration.

Leaving this here since this is the best github project I’ve found to help with these issues, but I still think it is more of docker’s responsibility to handle elegantly:

I’m hoping we can get some official word on this from Docker devs…