I actually found the complete thing you need. Here we go: *nat …
:DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE # This is where the docker NAT rules go # NAT chains COMMIT *filter … :DOCKER - [0:0] … -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT This gives you everything you need. Thanks to Avinash for pointing this out. Best regards, Radek Gruchalski [email protected] (mailto:[email protected]) (mailto:[email protected]) de.linkedin.com/in/radgruchalski/ (http://de.linkedin.com/in/radgruchalski/) Confidentiality: This communication is intended for the above-named person and may be confidential and/or legally privileged. If it has come to you in error you must take no action based on it, nor must you copy or show it to anyone; please delete/destroy and inform the sender immediately. On Wednesday, 13 April 2016 at 21:59, Alfredo Carneiro wrote: > Oh man! Really thanks! It worked! > > On Wed, Apr 13, 2016 at 4:57 PM, Rad Gruchalski <[email protected] > (mailto:[email protected])> wrote: > > Have you tried restarting docker daemon afterwards? > > > > > > > > > > > > > > > > > > > > > > Best regards, > > Radek Gruchalski > > [email protected] (mailto:[email protected]) > > (mailto:[email protected]) > > de.linkedin.com/in/radgruchalski/ (http://de.linkedin.com/in/radgruchalski/) > > > > Confidentiality: > > This communication is intended for the above-named person and may be > > confidential and/or legally privileged. > > If it has come to you in error you must take no action based on it, nor > > must you copy or show it to anyone; please delete/destroy and inform the > > sender immediately. > > > > > > > > On Wednesday, 13 April 2016 at 21:53, Alfredo Carneiro wrote: > > > > > Hey Rad, > > > > > > Thanks for your answer! I have added theses lines and now looks very > > > similar before. > > > > > > iptables -N DOCKER > > > iptables -A FORWARD -o docker0 -j DOCKER > > > iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED > > > -j ACCEPT > > > iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > > > iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT > > > > > > > > > However, I am still getting errors. > > > > > > docker: Error response from daemon: failed to create endpoint > > > cranky_kilby on network bridge: iptables failed: iptables --wait -t nat > > > -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination > > > 172.17.0.2:8080 (http://172.17.0.2:8080) ! -i docker0: iptables: No > > > chain/target/match by that name. > > > (exit status 1). > > > > > > > > > This is my iptables -L output: > > > > > > Chain FORWARD (policy DROP) > > > target prot opt source destination > > > DOCKER all -- anywhere anywhere > > > ACCEPT all -- anywhere anywhere ctstate > > > RELATED,ESTABLISHED > > > ACCEPT all -- anywhere anywhere > > > ACCEPT all -- anywhere anywhere > > > > > > Chain OUTPUT (policy ACCEPT) > > > target prot opt source destination > > > ACCEPT all -- anywhere anywhere > > > > > > Chain DOCKER (1 references) > > > target prot opt source destination > > > > > > > > > I hid the INPUT chain because is very big! > > > > > > Best Regards, > > > > > > On Wed, Apr 13, 2016 at 4:29 PM, Rad Gruchalski <[email protected] > > > (mailto:[email protected])> wrote: > > > > Hi Alfredo, > > > > > > > > The only thing you need is: > > > > > > > > -A FORWARD -o docker0 -j DOCKER > > > > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j > > > > ACCEPT > > > > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > > > > -A FORWARD -i docker0 -o docker0 -j ACCEPT > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best regards, > > > > Radek Gruchalski > > > > [email protected] (mailto:[email protected]) > > > > (mailto:[email protected]) > > > > de.linkedin.com/in/radgruchalski/ > > > > (http://de.linkedin.com/in/radgruchalski/) > > > > > > > > Confidentiality: > > > > This communication is intended for the above-named person and may be > > > > confidential and/or legally privileged. > > > > If it has come to you in error you must take no action based on it, nor > > > > must you copy or show it to anyone; please delete/destroy and inform > > > > the sender immediately. > > > > > > > > > > > > > > > > On Wednesday, 13 April 2016 at 21:27, Alfredo Carneiro wrote: > > > > > > > > > Hello guys, > > > > > > > > > > I don't know if that is the right place to ask. So, since we use > > > > > public cloud, we are trying to hardening our servers allowing traffic > > > > > just from our subnetworks. However, when I tried to implement some > > > > > iptables rules I got problems with Docker, which couldn't find its > > > > > chain anymore. > > > > > > > > > > Then, I am wondering if anyone has ever implemented any iptables rule > > > > > in this scenario. > > > > > > > > > > I've seen this[1] "tip", however, I think that it is not apply to > > > > > this case, because it is very "static". > > > > > > > > > > [1] - https://fralef.me/docker-and-iptables.html > > > > > > > > > > Best Regards, > > > > > > > > > > -- > > > > > Alfredo Miranda > > > > > > > > > > > > > > > > -- > > > Alfredo Miranda > > > > > > -- > Alfredo Miranda
