moby: Docker should not update FORWARD chain on startup

We want to use docker in a restricted setup where we can controle who has access to the running containers. On startup docker adds rules to the FORWARD chain, empties the DOCKER chain and resets the DOCKER-ISOLATION chain.

Since we want to restrict access to the used bridges we want to add rules preventing this in the FORWARD chain, but the problem with this is that docker puts its own rules before our custom rules, in effect offering access to the containers for everyone.

Is there any setting to prevent docker from changing the FORWARD chain on startup and only update the DOCKER chain? or is it possible to implement such a switch. This way you can control access to the docker containers without messing up docker automatic firewall settings when using portmappings.

The --iptables=false setting works, but when starting containers nothing is added to the iptables anymore. So that isn’t a workable solution either…

Output of docker version:

Client:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Wed Apr 27 00:34:42 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Wed Apr 27 00:34:42 2016
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 2
 Running: 1
 Paused: 0
 Stopped: 1
Images: 111
Server Version: 1.11.1
Storage Driver: devicemapper
 Pool Name: docker-253:1-150997978-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 11.77 GB
 Data Space Total: 107.4 GB
 Data Space Available: 7.219 GB
 Metadata Space Used: 15.33 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.132 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2016-06-09)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: overlay bridge null host
Kernel Version: 3.10.0-327.13.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.79 GiB
Name: xxxx.xxxxxxxxxxx.xx
ID: H2Q6:YFIW:O4SQ:55KY:ZDPS:S5OT:XXJJ:HYEV:UDON:5TWF:3CMK:GILX
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Http Proxy: http://192.168.202.13:3128
Https Proxy: http://192.168.202.13:3128
No Proxy: /var/run/docker.soc,localhost,127.0.0.1
Registry: https://index.docker.io/v1/
Labels:
 nl.bzk.rol=db
Cluster store: etcd://192.168.197.230:2379/cluster01
Cluster advertise: 192.168.197.231:2375

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 6
  • Comments: 20 (7 by maintainers)

Commits related to this issue

Most upvoted comments

Hello,

+1 for a solution. I’m also searching for a solution to route the packets to a custom chain (for filtering) via FORWARD before they go to the docker ones (DOCKER-INGRESS and DOCKER-ISOLATION). When I restart the docker engine, my rule that routes packets to the custom chain is unexpectedly going down in the list and my policy is not met anymore…

Same use case as @stszap.

+4
clems4ever on Jan 15, 2017

my custom rule always below of docker’s rules. (jump to firewall-filter chain)

[gw.b.bj ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
firewall-filter  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
firewall-filter  all  --  anywhere             anywhere

how to prevent docker from modify FORWARD chain !!!

[gw.b.bj ~]# docker info
Containers: 7
 Running: 7
 Paused: 0
 Stopped: 0
Images: 115
Server Version: 1.12.3
Storage Driver: devicemapper
 Pool Name: docker-253:1-402519-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 616.1 MB
 Data Space Total: 107.4 GB
 Data Space Available: 35.6 GB
 Metadata Space Used: 2.011 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.145 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2016-06-09)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: overlay host bridge null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: seccomp
Kernel Version: 3.10.0-327.36.3.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 993 MiB
Name: iz2zebgky0qb6npu5tkvz5z
ID: H3FY:PJEW:RGRU:E732:HLI3:FFZB:DUPA:LJO3:Q3B5:PK7P:JXJQ:4R63
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Insecure Registries:
 127.0.0.0/8
+3
GongT on Dec 30, 2016

@jcstover Thank you for your workaround, but I’m afraid that it isn’t working for me. What I tried: start docker list iptables rules

# iptables -L FORWARD -nv  --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

stop docker add test rule after DOCKER-ISOLATION iptables -I FORWARD 2 -s 8.8.8.8 -j ACCEPT list rules again

# iptables -L FORWARD -nv  --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  *      *       8.8.8.8              0.0.0.0/0           
3        0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
5        0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
6        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

start docker list rules again

# iptables -L FORWARD -nv
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
0     0 ACCEPT     all  --  *      *       8.8.8.8              0.0.0.0/0

And my rule is at the bottom. I tried to insert in at the top, but it always ends at the bottom of FORWARD chain after docker is started.

docker version
Client:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:        Thu Aug 18 05:13:43 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:        Thu Aug 18 05:13:43 2016
 OS/Arch:      linux/amd64
+2
stszap on Sep 15, 2016

@trapier can you open a pull request in that repo (against the 17.06 branch; https://github.com/docker/docker-ce/blob/17.06/CHANGELOG.md)? We can update the changelog on GitHub with the same information afterwards

+1
thaJeztah on Jul 26, 2017
Read more comments on GitHub
← moby: Docker service update --image "could not accessed on a registry to record its digest"
moby: docker stack deploy does not pull images from private registry on 17.03.0-ce-mac1  →