Docker Community Forums

Share and learn in the Docker community.

Docker firewall rules how to change or disable


(Gzcwnk) #1

I am on debian 8 and I moved the server from an old subnet to a new subnet IP. Problem is when docker starts its injecting iptables rules that assume the old subnet IP. I have struggled for some hours now and cant find where docker is holding this info and googling shows me in-correct or obsolete “help docs”

So I am stuck, where does docker hold the rules so I can fix them? and / or worst case how do I stop docker writing rules? I tried telling docker via systemd but this didnt work,

(https://blog.daknob.net/debian-firewall-docker/)


(Kar1) #2

Hi,

I had more or less the same issue and here is how I fixed it (ob Ubuntu, but I assume it will be the same on Debian).
I added to the docker daemon the following options (in /etc/sysconfig/docker):

OPTIONS=’–bip 10.190.33.254/24 -g /data/docker --iptables=false’

  • –bip sets the IP addresses and netmask for the containers
  • –iptables prevents Docker from modyfing my iptables rules

In the docker systemd unit file (/lib/systemd/system/docker.service), I added this line:

ExecStartPost=/docker_network_conf/docker_iptables.sh
(The script must be executed after the docker daemon is up)

And the script simply looks like:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -A POSTROUTING -s 10.190.33.0/24 ! -o docker0 -j SNAT --to-source [HOST_IP]
iptables -t nat -A POSTROUTING -s 10.190.33.0/24 ! -o docker0 -j MASQUERADE


Is it possible to disable nat in docker-compose?
(Kang Ouyang) #3

I have a same problem, it’s fixed after follow these steps. Thank you so much!