Hi there,
I’m trying to understand how to make my iptables rules work with Docker. I wrote those rules prior to using Docker on this machine.
I have a Nginx app running on the host. I use it as reverse proxy. For example, requesting https://mydomain1.com leads to the host’s Nginx port 443 which proxies to one of my Docker containers on port 3000:80. And Nginx also handles the TLS.
I also have iptables rules loaded on boot with restrictives policies:
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -i lo -A INPUT -j ACCEPT
iptables -o lo -A OUTPUT -j ACCEPT
iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Then I allow service by service.
I realized my rules could lead to networking issues on Docker so I added (which I suppose are ugly):
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
iptables -A INPUT -i docker0 -j ACCEPT
iptables -A OUTPUT -o docker0 -j ACCEPT
Also, I may still access the container directly from the outside world. For instance: http://mydomain1.com:3000 works despite I didn’t now open port 3000 myself.
Finally, I have an issue with a container trying to access the host’s Nginx to request a non-docker application. When I change my policies to ACCEPT, that works. Otherwise, I get a timeout error.
I would love to:
- prevent access by default to containers from the outside and force usage of the nginx proxy
- allow containers to access the host’s network
Docker is appending its own rules. So I’m getting a little lost.
Should I prevent Docker from creating iptables rules?
Thanks a lot,
Axel