Set iptable rules in a docker image

Docker Engine General
1

I have a requirement to persist iptable rules in a docker image.
If i add my iptable rules on a running container and commit the container to an image . If i start a new container again with same image , i do not see my ip table rules.

Is it possible set iptable rules in my docker image ? , If yes how can we do that ?

2

Hello,

Images are about the userspace filesystem of a container. Things like iptables, much like on a normal system, must be set at runtime on each invocation.

/Jeff

3

Thanks for the reponse .
So in order to run iptables command at run time i need to give my container NET_ADMIN capability .

I have following question related to the security stand point if we give NET_ADMIN capability

  1. Is it safe to give NET_ADMIN Capability to my container ?

  2. As a root user of container what all damage i can do on the HOST machine if container has the NET_ADMIN capability ? As a root user of container will i be able to change/affect ip table rules of HOST machine ?

  3. As a root user of container what all damage i can do to other containers running on the same HOST?

If you can provide answer to these question it will be of great help.
Thanks

4

If you give NET_ADMIN to a container, it can do anything related to the NET_ADMIN capability. I stole the list from here: interface config, firewall config, routing table, bind to any address, set promiscuous mode, clear driver statistics, enable multicasting.

Each docker container gets its own network namespace, so generally any of these operations will be restricted to just the network namespace that the container is running in.

I am not familiar enough with all of the capabilities and the implications that each one has to be able to personally say that the NET_ADMIN capability does or doesn’t give a container breakout path or not.

Generally if you want to handle iptables-level stuff, you must accept the fact that you will need to do so with administrative privileges. It is a much lower attack surface to only give out the NET_ADMIN capability instead of going full superuser.

Cheers!