From ee05ddfb214dd49b579522e13a6a4c147df9f429 Mon Sep 17 00:00:00 2001 From: Jason Levine Date: Sat, 4 Mar 2017 19:17:01 -0500 Subject: [PATCH] Remove incorrect iptables-related information At the current time, Docker flushes any pre-existing DOCKER and DOCKER-ISOLATION chains, meaning that the previous advice was misleading and led users in the wrong direction regarding restricting access to containers via iptables. --- .../networking/default_network/container-communication.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/engine/userguide/networking/default_network/container-communication.md b/engine/userguide/networking/default_network/container-communication.md index 0f2904b0ec..ff7a855568 100644 --- a/engine/userguide/networking/default_network/container-communication.md +++ b/engine/userguide/networking/default_network/container-communication.md @@ -47,9 +47,9 @@ Docker will never make changes to your system `iptables` rules if you set `--iptables=false` when the daemon starts. Otherwise the Docker server will append forwarding rules to the `DOCKER` filter chain. -Docker will not delete or modify any pre-existing rules from the `DOCKER` filter -chain. This allows the user to create in advance any rules required to further -restrict access to the containers. +Docker will flush any pre-existing rules from the `DOCKER` and `DOCKER-ISOLATION` +filter chains, if they exist. For this reason, any rules needed to further +restrict access to containers need to be added after Docker has started. Docker's forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the