Docker Community Forums

Share and learn in the Docker community.

Override docker firewall rules without disabling iptables modification by docker?


(Sorends) #1

My issue is that i’m getting hammered on my vps from china ip’s on my SQL server. The vps is running Ubuntu 16.04. I have used an iptables config where i could easily open additional ports without interfering with the docker rules. The problem is i can’t seem to block any specific ip’s on the ports opened with docker. My iptables curently looks like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]

-F INPUT
-F DOCKER-USER
-F FILTERS

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -j FILTERS

-A DOCKER-USER -i ens33 -j FILTERS

-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FILTERS -j REJECT --reject-with icmp-host-prohibited

COMMIT
I found this tutorial: https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables/ It explains how to get a list of chinese ip’s and block them in the iptables, using this line:

-A INPUT -p tcp -m set --match-set china src -j DROP

Using this i got it working blocking ping requests adding it as one of the first rules. But no matter what i seem to do i can’t get it to block ip’s on the ports opened by docker.

I saw that you could disable iptables modification by docker, but i really like the ease of not having to manually open all ports my containers uses. Is there a way to add the line above as a global rule overriding all rules docker makes?

Any help is apreciated.