Host iptables in container

Hi guys,

i’m trying to get a container working, which shall be able to control the host systems iptables/netfilter logic.
I don’t want to have iptables running inside the container, I want to actually issue iptables commands which get active on the host, where the container runs.

The iptable rules will have nothing to do with the container, from where it shall be posted

Is a scenario like that possible?

I tried something like

docker run --privileged -ti --rm --cap-add=NET_ADMIN - centos:latest bash -c "iptables -L -t nat"

but obviously it does not have the hosts iptables available…

Thanks and best regards,
Steffen

Getting this to run in Docker will be tricky (Docker goes to some pretty significant lengths to isolate containers from the host in this way, plus does some nontrivial iptables mucking itself) and you’re probably better off just running iptables on the host directly. Doubly true since you basically need to be root to run Docker containers anyways.

(--net host might help you; but so would bind-mounting the host filesystem and adding yourself to the host’s /etc/sudoers.)

1 Like

Actually the reason why that should run in the container, is simply because of CI and deployment purposes.
I tested some more and indeed with the --net hostparameter it does not look too bad. I get the same output on the container than I do on the host…

docker run --privileged -ti --rm --cap-add=NET_ADMIN --net=host centos:latest bash -c "yum install -y iptables; iptables -L -t nat"

I will test this more to be sure it is actually working, but it would be cool if someone could confirm the above approach.

Thanks for your answer!
Steffen