Persistent POSTROUTING iptable rules

Issue Type: Docker with IPTABLES enabled

Docker Version: 1.12.6

I had to add few iptable entries into NAT table, POSTROUTING chain, to allow docker containers to access internet through a different source-address/source-interface of Host Machine (to_source).

Things are working fine.


target     prot opt source               destination
SNAT       all  --       to:

But, when docker service is restarted, it inserts MASQUERADE rules on top of my entries and hence my fix as above is masked. Docker containers can’t access internet now.


target     prot opt source               destination
SNAT        all  --       to:

Is there anyway to make my POSTROUTING rules to stay always on top of the chain even after docker restarts?