mirror of https://github.com/docker/docs.git
62 lines
2.5 KiB
Markdown
62 lines
2.5 KiB
Markdown
---
|
|
title: Docker and iptables
|
|
description: The basics of how Docker works with iptables
|
|
keywords: network, iptables
|
|
---
|
|
|
|
On Linux, Docker manipulates `iptables` rules to provide network isolation.
|
|
This is an implementation detail, and you should not modify the rules Docker
|
|
inserts into your `iptables` policies.
|
|
|
|
## Add iptables policies before Docker's rules
|
|
|
|
All of Docker's `iptables` rules are added to the `DOCKER` chain. Do not
|
|
manipulate this table manually. If you need to add rules which load before
|
|
Docker's rules, add them to the `DOCKER-USER` chain. These rules are loaded
|
|
before any rules Docker creates automatically.
|
|
|
|
### Restrict connections to the Docker daemon
|
|
|
|
By default, all external source IPs are allowed to connect to the Docker daemon.
|
|
To allow only a specific IP or network to access the containers, insert a
|
|
negated rule at the top of the DOCKER filter chain. For example, the following
|
|
rule restricts external access to all IP addresses except 192.168.1.1:
|
|
|
|
```bash
|
|
$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP
|
|
```
|
|
|
|
You could instead allow connections from a source subnet. The following rule
|
|
only allows access from the subnet 192.168.1.0/24:
|
|
|
|
```bash
|
|
$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
|
|
```
|
|
|
|
Finally, you can specify a range of IP addresses to accept using `--src-range`
|
|
(Remember to also add `-m iprange` when using `--src-range` or `--dst-range`):
|
|
|
|
```bash
|
|
$ iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.168.1.1-192.168.1.3 -j DROP
|
|
```
|
|
|
|
You can combine `-s` or `--src-range` with `-d` or `--dst-range` to control both
|
|
the source and destination. For instance, if the Docker daemon listens on both
|
|
192.168.1.99 and 10.1.2.3, you can make rules specific to `10.1.2.3` and leave
|
|
`192.168.1.99` open.
|
|
|
|
`iptables` is complicated and more complicated rule are out of scope for this
|
|
topic. See the [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html)
|
|
for a lot more information.
|
|
|
|
|
|
## Prevent Docker from manipulating iptables
|
|
|
|
To prevent Docker from manipulating the `iptables` policies at all, set the
|
|
`iptables` key to `false` in `/etc/docker/daemon.json`. This is inappropriate
|
|
for most users, because the `iptables` policies then need to be managed by hand.
|
|
|
|
## Next steps
|
|
|
|
- Read [Docker Reference Architecture: Designing Scalable, Portable Docker Container Networks](https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks)
|