Docker iptable rules with proxy

Hi there,

I’m trying to understand how to make my iptables rules work with Docker. I wrote those rules prior to using Docker on this machine.

I have a Nginx app running on the host. I use it as reverse proxy. For example, requesting https://mydomain1.com leads to the host’s Nginx port 443 which proxies to one of my Docker containers on port 3000:80. And Nginx also handles the TLS.

I also have iptables rules loaded on boot with restrictives policies:

iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -i lo -A INPUT -j ACCEPT
iptables -o lo -A OUTPUT -j ACCEPT
iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Then I allow service by service.

I realized my rules could lead to networking issues on Docker so I added (which I suppose are ugly):

iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
iptables -A INPUT -i docker0  -j ACCEPT
iptables -A OUTPUT -o docker0 -j ACCEPT

Also, I may still access the container directly from the outside world. For instance: http://mydomain1.com:3000 works despite I didn’t now open port 3000 myself.
Finally, I have an issue with a container trying to access the host’s Nginx to request a non-docker application. When I change my policies to ACCEPT, that works. Otherwise, I get a timeout error.

I would love to:

  • prevent access by default to containers from the outside and force usage of the nginx proxy
  • allow containers to access the host’s network

Docker is appending its own rules. So I’m getting a little lost.
Should I prevent Docker from creating iptables rules?

Thanks a lot,

Axel

Actually, I found a solution: I changed the publish option to: 127.0.0.1:3000:80 and now the container is not accessible from the outside world.

Remains one problem: the container is not able to clone a Git repository hosted by Gitea on the host. However this Gitea is accessible from the outside on ports 80 and 443.

If I change the INPUT policy to ACCEPT, it works.

If you have any idea … Thanks