Alfredo, I have no examples of locking that one on hand but I can imagine that if should be feasible to lock that down.
Best regards, Radek Gruchalski [email protected] (mailto:[email protected]) (mailto:[email protected]) de.linkedin.com/in/radgruchalski/ (http://de.linkedin.com/in/radgruchalski/) Confidentiality: This communication is intended for the above-named person and may be confidential and/or legally privileged. If it has come to you in error you must take no action based on it, nor must you copy or show it to anyone; please delete/destroy and inform the sender immediately. On Wednesday, 13 April 2016 at 22:14, Alfredo Carneiro wrote: > Unfortunately, I am facing some problems....even with my INPUT rules allowing > just some subnetworks, Docker is accepting connections from everywhere. > > On Wed, Apr 13, 2016 at 5:06 PM, Rad Gruchalski <[email protected] > (mailto:[email protected])> wrote: > > I actually found the complete thing you need. Here we go: > > > > *nat > > … > > > > :DOCKER - [0:0] > > -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER > > -A OUTPUT ! -d 127.0.0.0/8 (http://127.0.0.0/8) -m addrtype --dst-type > > LOCAL -j DOCKER > > -A POSTROUTING -s 172.17.0.0/16 (http://172.17.0.0/16) ! -o docker0 -j > > MASQUERADE > > # This is where the docker NAT rules go > > > > > > # NAT chains > > > > COMMIT > > > > *filter > > … > > :DOCKER - [0:0] > > > > … > > > > -A FORWARD -o docker0 -j DOCKER > > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > > -A FORWARD -i docker0 -o docker0 -j ACCEPT > > > > > > This gives you everything you need. Thanks to Avinash for pointing this > > out. > > > > > > > > > > > > > > > > > > > > > > > > Best regards, > > Radek Gruchalski > > [email protected] (mailto:[email protected]) > > (mailto:[email protected]) > > de.linkedin.com/in/radgruchalski/ (http://de.linkedin.com/in/radgruchalski/) > > > > Confidentiality: > > This communication is intended for the above-named person and may be > > confidential and/or legally privileged. > > If it has come to you in error you must take no action based on it, nor > > must you copy or show it to anyone; please delete/destroy and inform the > > sender immediately. > > > > > > > > On Wednesday, 13 April 2016 at 21:59, Alfredo Carneiro wrote: > > > > > Oh man! Really thanks! It worked! > > > > > > On Wed, Apr 13, 2016 at 4:57 PM, Rad Gruchalski <[email protected] > > > (mailto:[email protected])> wrote: > > > > Have you tried restarting docker daemon afterwards? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best regards, > > > > Radek Gruchalski > > > > [email protected] (mailto:[email protected]) > > > > (mailto:[email protected]) > > > > de.linkedin.com/in/radgruchalski/ > > > > (http://de.linkedin.com/in/radgruchalski/) > > > > > > > > Confidentiality: > > > > This communication is intended for the above-named person and may be > > > > confidential and/or legally privileged. > > > > If it has come to you in error you must take no action based on it, nor > > > > must you copy or show it to anyone; please delete/destroy and inform > > > > the sender immediately. > > > > > > > > > > > > > > > > On Wednesday, 13 April 2016 at 21:53, Alfredo Carneiro wrote: > > > > > > > > > Hey Rad, > > > > > > > > > > Thanks for your answer! I have added theses lines and now looks very > > > > > similar before. > > > > > > > > > > iptables -N DOCKER > > > > > iptables -A FORWARD -o docker0 -j DOCKER > > > > > iptables -A FORWARD -o docker0 -m conntrack --ctstate > > > > > RELATED,ESTABLISHED -j ACCEPT > > > > > iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > > > > > iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT > > > > > > > > > > > > > > > However, I am still getting errors. > > > > > > > > > > docker: Error response from daemon: failed to create endpoint > > > > > cranky_kilby on network bridge: iptables failed: iptables --wait -t > > > > > nat -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination > > > > > 172.17.0.2:8080 (http://172.17.0.2:8080) ! -i docker0: iptables: No > > > > > chain/target/match by that name. > > > > > (exit status 1). > > > > > > > > > > > > > > > This is my iptables -L output: > > > > > > > > > > Chain FORWARD (policy DROP) > > > > > target prot opt source destination > > > > > DOCKER all -- anywhere anywhere > > > > > ACCEPT all -- anywhere anywhere ctstate > > > > > RELATED,ESTABLISHED > > > > > ACCEPT all -- anywhere anywhere > > > > > ACCEPT all -- anywhere anywhere > > > > > > > > > > Chain OUTPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > > ACCEPT all -- anywhere anywhere > > > > > > > > > > Chain DOCKER (1 references) > > > > > target prot opt source destination > > > > > > > > > > > > > > > I hid the INPUT chain because is very big! > > > > > > > > > > Best Regards, > > > > > > > > > > On Wed, Apr 13, 2016 at 4:29 PM, Rad Gruchalski <[email protected] > > > > > (mailto:[email protected])> wrote: > > > > > > Hi Alfredo, > > > > > > > > > > > > The only thing you need is: > > > > > > > > > > > > -A FORWARD -o docker0 -j DOCKER > > > > > > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j > > > > > > ACCEPT > > > > > > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > > > > > > -A FORWARD -i docker0 -o docker0 -j ACCEPT > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Best regards, > > > > > > Radek Gruchalski > > > > > > [email protected] (mailto:[email protected]) > > > > > > (mailto:[email protected]) > > > > > > de.linkedin.com/in/radgruchalski/ > > > > > > (http://de.linkedin.com/in/radgruchalski/) > > > > > > > > > > > > Confidentiality: > > > > > > This communication is intended for the above-named person and may > > > > > > be confidential and/or legally privileged. > > > > > > If it has come to you in error you must take no action based on it, > > > > > > nor must you copy or show it to anyone; please delete/destroy and > > > > > > inform the sender immediately. > > > > > > > > > > > > > > > > > > > > > > > > On Wednesday, 13 April 2016 at 21:27, Alfredo Carneiro wrote: > > > > > > > > > > > > > Hello guys, > > > > > > > > > > > > > > I don't know if that is the right place to ask. So, since we use > > > > > > > public cloud, we are trying to hardening our servers allowing > > > > > > > traffic just from our subnetworks. However, when I tried to > > > > > > > implement some iptables rules I got problems with Docker, which > > > > > > > couldn't find its chain anymore. > > > > > > > > > > > > > > Then, I am wondering if anyone has ever implemented any iptables > > > > > > > rule in this scenario. > > > > > > > > > > > > > > I've seen this[1] "tip", however, I think that it is not apply to > > > > > > > this case, because it is very "static". > > > > > > > > > > > > > > [1] - https://fralef.me/docker-and-iptables.html > > > > > > > > > > > > > > Best Regards, > > > > > > > > > > > > > > -- > > > > > > > Alfredo Miranda > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Alfredo Miranda > > > > > > > > > > > > > > > > -- > > > Alfredo Miranda > > > > > > -- > Alfredo Miranda
