Add more details about Docker and iptables

_data/toc.yaml

@@ -207,10 +207,6 @@ guides:
       path: /get-started/part5/
     - title: "Part 6: Deploy your app"
       path: /get-started/part6/
-  - sectiontitle: Learn by example
-    section:
-    - path: /engine/tutorials/networkingcontainers/
-      title: Network containers
   - path: /engine/docker-overview/
     title: Docker overview
 - sectiontitle: Develop with Docker

network/index.md

@@ -29,7 +29,8 @@ This topic does **not** go into OS-specific details about how Docker networks
 work, so you will not find information about how Docker manipulates `iptables`
 rules on Linux or how it manipulates routing rules on Windows servers, and you
 will not find detailed information about how Docker forms and encapsulates
-packets or handles encryption. See
+packets or handles encryption. See [Docker and iptables](/network/iptables.md)
+and
 [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)
 for a much greater depth of technical detail.
 

network/iptables.md

@@ -0,0 +1,61 @@
+---
+title: Docker and iptables
+description: The basics of how Docker works with iptables
+keywords: network, iptables
+---
+
+On Linux, Docker manipulates `iptables` rules to provide network isolation.
+This is an implementation detail, and you should not modify the rules Docker
+inserts into your `iptables` policies.
+
+## Add iptables policies before Docker's rules
+
+All of Docker's `iptables` rules are added to the `DOCKER` table. Do not
+manipulate this table manually. If you need to add rules which load before
+Docker's rules, add them to the `DOCKER-USER` table. These rules are loaded
+before any rules Docker creates automatically.
+
+### Restrict connections to the Docker daemon
+
+By default, all external source IPs are allowed to connect to the Docker daemon.
+To allow only a specific IP or network to access the containers, insert a
+negated rule at the top of the DOCKER filter chain. For example, the following
+rule restricts external access to all IP addresses except 192.168.1.1:
+
+```bash
+$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP
+```
+
+You could instead allow connections from a source subnet. The following rule
+only allows access from the subnet 192.168.1.0/24:
+
+```bash
+$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
+```
+
+Finally, you can specify a range of IP addresses to accept using `--src-range`
+(Remember to also add `-m iprange` wen using `--src-range` or `--dst-range`):
+
+```bash
+$ iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.168.1.1-192.168.1.3 -j DROP
+```
+
+You can combine `-s` or `--src-range` with `-d` or `--dst-range` to control both
+the source and destination. For instance, if the Docker daemon listens on both
+192.168.1.99 and 10.1.2.3, you can make rules specific to `10.1.2.3` and leave
+`192.168.1.99` open.
+
+`iptables` is complicated and more complicated rule are out of scope for this
+topic. See the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html)
+for a lot more information.
+
+
+## Prevent Docker from manipulating iptables
+
+To prevent Docker from manipulating the `iptables` policies at all, set the
+`iptables` key to `false` in `/etc/docker/daemon.json`. This is inappropriate
+for most users, because the `iptables` policies then need to be managed by hand.
+
+## Next steps
+
+- Read [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)