Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attempt to add static iptables rules for DOCKER-USER on CentOS 7 #8357

Closed
wants to merge 14 commits into from
Closed

Attempt to add static iptables rules for DOCKER-USER on CentOS 7 #8357

Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
9d7d5d2
Update iptables.md
Feb 26, 2019
30038a0
Added --ctdir info
Mar 1, 2019
e9e89a6
Fixed syntax
bermudezmt Mar 12, 2019
ad821c2
Added another example
Jun 7, 2019
3c582ab
Updates per Arko
Jun 7, 2019
cceb812
Updates for WAN/LAN filters
Jun 7, 2019
5857fa5
WAN/LAN filter updates
Jun 7, 2019
2667acb
Removed redundant info per Arko
Jun 10, 2019
a110170
Update network/iptables.md
Dawn-Wood Sep 13, 2019
477dcfb
Update network/iptables.md
Dawn-Wood Sep 17, 2019
4a3919f
Update network/iptables.md
Dawn-Wood Sep 17, 2019
b18c7a2
Update network/iptables.md
Dawn-Wood Sep 17, 2019
299edec
Update network/iptables.md
Dawn-Wood Sep 17, 2019
3ef6e5a
Update iptables.md
Dawn-Wood Sep 17, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 51 additions & 2 deletions network/iptables.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,15 @@ manipulate this table manually. If you need to add rules which load before
Docker's rules, add them to the `DOCKER-USER` chain. These rules are loaded
before any rules Docker creates automatically.

### Add a DOCKER-USER filter chain to allow persistent rules
This can be useful if you need to pre-populate `iptables` rules that need to be in place before
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a blank line between the header and the body? I seem to recall we've had cases where omitting the blank line caused some issues (and it's more consistent with the rest of the document)

Suggested change
This can be useful if you need to pre-populate `iptables` rules that need to be in place before
This can be useful if you need to pre-populate `iptables` rules that need to be in place before

Docker runs. The following example illustrates how rules can be added to the `DOCKER-USER` chain

### Restrict connections to the Docker daemon

By default, all external source IPs are allowed to connect to the Docker daemon.
To allow only a specific IP or network to access the containers, insert a
negated rule at the top of the DOCKER filter chain. For example, the following
negated rule at the top of the `DOCKER-USER` filter chain. For example, the following
rule restricts external access to all IP addresses except 192.168.1.1:

```bash
Expand Down Expand Up @@ -49,6 +53,50 @@ the source and destination. For instance, if the Docker daemon listens on both
topic. See the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html)
for a lot more information.

### Filtering container traffic
The following example provides a set of filters and uses those filters for container and host traffic:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

Suggested change
The following example provides a set of filters and uses those filters for container and host traffic:
The following example provides a set of filters and uses those filters for container and host traffic:


```
# WAN = eth0 ; LAN = eth1

# Reset counters
:DOCKER-USER - [0:0]

# Flush
-F DOCKER-USER

# Filters :
## Activate established connexions
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN

## Allow all on https/http
-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 80 -j RETURN
-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 443 -j RETURN

## Allow 8080 from ip
-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.11.11.0/24 -j RETURN
-A DOCKER-USER -i eth0 -p tcp -m tcp -m conntrack --ctorigdstport 8080 -s 10.22.22.0/24 -j RETURN

# Block all external
-A DOCKER-USER -i eth0 -j DROP
-A DOCKER-USER -j RETURN

COMMIT
```
> **Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a blank line between the code-fence, and the note here as well?

Suggested change
> **Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection,
> **Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection,

not the destination port on the packet being filtered. Therefore, responses to requests from Docker
to other servers have `SPT=80`, and match `--ctorigdstport 80`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think for notes, we repeat the > on each line throughout the docs, so;

> **Note**: `--ctorigdstport` matches the destination port on the packet that initiated the connection, 
> not the destination port on the packet being filtered. Therefore, responses to requests from Docker 
> to other servers have `SPT=80`, and match `--ctorigdstport 80`.


For tighter control, all rules allowing the connection should have `--ctdir` added to specifically
express their meaning, as shown in the following example:

-A DOCKER-USER -s 1.2.3.4/32 -i eth0 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j ACCEPT

Load these rules with:

```bash
$ iptables-restore -n /etc/iptables.conf
```
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This block now uses GitHub-flavor "fences", so should be un-indented, otherwise it shows up as a literal code block;

Screenshot 2019-10-07 at 13 49 38


## Prevent Docker from manipulating iptables

Expand All @@ -58,4 +106,5 @@ for most users, because the `iptables` policies then need to be managed by hand.

## Next steps

- Read [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)
- Read [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks]
(https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like the added whitespace broke the link

To wrap links, the wrapping needs to be done in the links' "caption";

- Read [Docker Reference Architecture: Designing Scalable, Portable Docker
  Container Networks](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)

That's a bit awkward sometimes, so an alternative could be to rephrase it slightly;

- Read "Docker Reference Architecture: Designing Scalable, Portable Docker
  Container Networks" on [success.docker.com](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)

Or just don't wrap it (which I think in this case would be ok as an exception)