Add more details about Docker and iptables

2018-02-06 11:38:30 -08:00 · 2018-02-06 11:38:30 -08:00 · 807610482b
parent a8e84a80e1
commit 807610482b
3 changed files with 63 additions and 5 deletions
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@ -207,10 +207,6 @@ guides:
      path: /get-started/part5/
    - title: "Part 6: Deploy your app"
      path: /get-started/part6/
  - sectiontitle: Learn by example
    section:
    - path: /engine/tutorials/networkingcontainers/
      title: Network containers
  - path: /engine/docker-overview/
    title: Docker overview
 - sectiontitle: Develop with Docker
--- a/network/index.md
+++ b/network/index.md
@ -29,7 +29,8 @@ This topic does **not** go into OS-specific details about how Docker networks
 work, so you will not find information about how Docker manipulates `iptables`
 rules on Linux or how it manipulates routing rules on Windows servers, and you
 will not find detailed information about how Docker forms and encapsulates
-packets or handles encryption. See
+packets or handles encryption. See [Docker and iptables](/network/iptables.md)
 and
 [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)
 for a much greater depth of technical detail.
--- a/network/iptables.md
+++ b/network/iptables.md
@ -0,0 +1,61 @@
 ---
 title: Docker and iptables
 description: The basics of how Docker works with iptables
 keywords: network, iptables
 ---
 On Linux, Docker manipulates `iptables` rules to provide network isolation.
 This is an implementation detail, and you should not modify the rules Docker
 inserts into your `iptables` policies.
 ## Add iptables policies before Docker's rules
 All of Docker's `iptables` rules are added to the `DOCKER` table. Do not
 manipulate this table manually. If you need to add rules which load before
 Docker's rules, add them to the `DOCKER-USER` table. These rules are loaded
 before any rules Docker creates automatically.
 ### Restrict connections to the Docker daemon
 By default, all external source IPs are allowed to connect to the Docker daemon.
 To allow only a specific IP or network to access the containers, insert a
 negated rule at the top of the DOCKER filter chain. For example, the following
 rule restricts external access to all IP addresses except 192.168.1.1:
 ```bash
 $ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP
 ```
 You could instead allow connections from a source subnet. The following rule
 only allows access from the subnet 192.168.1.0/24:
 ```bash
 $ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
 ```
 Finally, you can specify a range of IP addresses to accept using `--src-range`
 (Remember to also add `-m iprange` wen using `--src-range` or `--dst-range`):
 ```bash
 $ iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.168.1.1-192.168.1.3 -j DROP
 ```
 You can combine `-s` or `--src-range` with `-d` or `--dst-range` to control both
 the source and destination. For instance, if the Docker daemon listens on both
 192.168.1.99 and 10.1.2.3, you can make rules specific to `10.1.2.3` and leave
 `192.168.1.99` open.
 `iptables` is complicated and more complicated rule are out of scope for this
 topic. See the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html)
 for a lot more information.
 ## Prevent Docker from manipulating iptables
 To prevent Docker from manipulating the `iptables` policies at all, set the
 `iptables` key to `false` in `/etc/docker/daemon.json`. This is inappropriate
 for most users, because the `iptables` policies then need to be managed by hand.
 ## Next steps
 - Read [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)