Browse code
Update networking.md with new iptables behaviour
Docker-DCO-1.1-Signed-off-by: Ian Bishop <ianbishop@pace7.com> (github: porjo)
Ian Bishop authored on 2014/12/01 10:28:25Showing 1 changed files
| ... | ... |
@@ -184,30 +184,46 @@ running. The options then modify this default configuration. |
| 184 | 184 |
|
| 185 | 185 |
<a name="the-world"></a> |
| 186 | 186 |
|
| 187 |
-Whether a container can talk to the world is governed by one main factor. |
|
| 187 |
+Whether a container can talk to the world is governed by two factors. |
|
| 188 | 188 |
|
| 189 |
-Is the host machine willing to forward IP packets? This is governed |
|
| 190 |
-by the `ip_forward` system parameter. Packets can only pass between |
|
| 191 |
-containers if this parameter is `1`. Usually you will simply leave |
|
| 192 |
-the Docker server at its default setting `--ip-forward=true` and |
|
| 193 |
-Docker will go set `ip_forward` to `1` for you when the server |
|
| 194 |
-starts up. To check the setting or turn it on manually: |
|
| 195 |
- |
|
| 196 |
- # Usually not necessary: turning on forwarding, |
|
| 197 |
- # on the host where your Docker server is running |
|
| 189 |
+1. Is the host machine willing to forward IP packets? This is governed |
|
| 190 |
+ by the `ip_forward` system parameter. Packets can only pass between |
|
| 191 |
+ containers if this parameter is `1`. Usually you will simply leave |
|
| 192 |
+ the Docker server at its default setting `--ip-forward=true` and |
|
| 193 |
+ Docker will go set `ip_forward` to `1` for you when the server |
|
| 194 |
+ starts up. To check the setting or turn it on manually: |
|
| 198 | 195 |
|
| 196 |
+ ``` |
|
| 199 | 197 |
$ cat /proc/sys/net/ipv4/ip_forward |
| 200 | 198 |
0 |
| 201 |
- $ sudo echo 1 > /proc/sys/net/ipv4/ip_forward |
|
| 199 |
+ $ echo 1 > /proc/sys/net/ipv4/ip_forward |
|
| 202 | 200 |
$ cat /proc/sys/net/ipv4/ip_forward |
| 203 | 201 |
1 |
| 202 |
+ ``` |
|
| 203 |
+ |
|
| 204 |
+ Many using Docker will want `ip_forward` to be on, to at |
|
| 205 |
+ least make communication *possible* between containers and |
|
| 206 |
+ the wider world. |
|
| 207 |
+ |
|
| 208 |
+ May also be needed for inter-container communication if you are |
|
| 209 |
+ in a multiple bridge setup. |
|
| 210 |
+ |
|
| 211 |
+2. Do your `iptables` allow this particular connection? Docker will |
|
| 212 |
+ never make changes to your system `iptables` rules if you set |
|
| 213 |
+ `--iptables=false` when the daemon starts. Otherwise the Docker |
|
| 214 |
+ server will append forwarding rules to the `DOCKER` filter chain. |
|
| 215 |
+ |
|
| 216 |
+Docker will not delete or modify any pre-existing rules from the `DOCKER` |
|
| 217 |
+filter chain. This allows the user to create in advance any rules required |
|
| 218 |
+to further restrict access to the containers. |
|
| 204 | 219 |
|
| 205 |
-Many using Docker will want `ip_forward` to be on, to at |
|
| 206 |
-least make communication *possible* between containers and |
|
| 207 |
-the wider world. |
|
| 220 |
+Docker's forward rules permit all external source IPs by default. To allow |
|
| 221 |
+only a specific IP or network to access the containers, insert a negated |
|
| 222 |
+rule at the top of the `DOCKER` filter chain. For example, to restrict |
|
| 223 |
+external access such that *only* source IP 8.8.8.8 can access the |
|
| 224 |
+containers, the following rule could be added: |
|
| 208 | 225 |
|
| 209 |
-May also be needed for inter-container communication if you are |
|
| 210 |
-in a multiple bridge setup. |
|
| 226 |
+ $ iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP |
|
| 211 | 227 |
|
| 212 | 228 |
## Communication between containers |
| 213 | 229 |
|
| ... | ... |
@@ -222,12 +238,12 @@ system level, by two factors. |
| 222 | 222 |
between them. See the later sections of this document for other |
| 223 | 223 |
possible topologies. |
| 224 | 224 |
|
| 225 |
-2. Do your `iptables` allow this particular connection to be made? |
|
| 226 |
- Docker will never make changes to your system `iptables` rules if |
|
| 227 |
- you set `--iptables=false` when the daemon starts. Otherwise the |
|
| 228 |
- Docker server will add a default rule to the `FORWARD` chain with a |
|
| 229 |
- blanket `ACCEPT` policy if you retain the default `--icc=true`, or |
|
| 230 |
- else will set the policy to `DROP` if `--icc=false`. |
|
| 225 |
+2. Do your `iptables` allow this particular connection? Docker will never |
|
| 226 |
+ make changes to your system `iptables` rules if you set |
|
| 227 |
+ `--iptables=false` when the daemon starts. Otherwise the Docker server |
|
| 228 |
+ will add a default rule to the `FORWARD` chain with a blanket `ACCEPT` |
|
| 229 |
+ policy if you retain the default `--icc=true`, or else will set the |
|
| 230 |
+ policy to `DROP` if `--icc=false`. |
|
| 231 | 231 |
|
| 232 | 232 |
It is a strategic question whether to leave `--icc=true` or change it to |
| 233 | 233 |
`--icc=false` (on Ubuntu, by editing the `DOCKER_OPTS` variable in |
| ... | ... |
@@ -267,6 +283,7 @@ the `FORWARD` chain has a default policy of `ACCEPT` or `DROP`: |
| 267 | 267 |
... |
| 268 | 268 |
Chain FORWARD (policy ACCEPT) |
| 269 | 269 |
target prot opt source destination |
| 270 |
+ DOCKER all -- 0.0.0.0/0 0.0.0.0/0 |
|
| 270 | 271 |
DROP all -- 0.0.0.0/0 0.0.0.0/0 |
| 271 | 272 |
... |
| 272 | 273 |
|
| ... | ... |
@@ -278,9 +295,13 @@ the `FORWARD` chain has a default policy of `ACCEPT` or `DROP`: |
| 278 | 278 |
... |
| 279 | 279 |
Chain FORWARD (policy ACCEPT) |
| 280 | 280 |
target prot opt source destination |
| 281 |
+ DOCKER all -- 0.0.0.0/0 0.0.0.0/0 |
|
| 282 |
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 |
|
| 283 |
+ |
|
| 284 |
+ Chain DOCKER (1 references) |
|
| 285 |
+ target prot opt source destination |
|
| 281 | 286 |
ACCEPT tcp -- 172.17.0.2 172.17.0.3 tcp spt:80 |
| 282 | 287 |
ACCEPT tcp -- 172.17.0.3 172.17.0.2 tcp dpt:80 |
| 283 |
- DROP all -- 0.0.0.0/0 0.0.0.0/0 |
|
| 284 | 288 |
|
| 285 | 289 |
> **Note**: |
| 286 | 290 |
> Docker is careful that its host-wide `iptables` rules fully expose |