Docker

How to Configure the Iptables in a Docker Container

Docker is a popular software platform that allows the developers to easily create and manage the applications in a virtual environment called a container. It provides a way to package and ship the software in a standardized format that can run on any machine, regardless of its underlying operating system or hardware. Containers are lightweight and isolated from other containers and the host system which provides a secure and efficient way to deploy and run the applications. Docker has become a popular tool for building and deploying the applications in a variety of environments, from local development to production servers and cloud-based infrastructure.

Docker containers can be used to run multiple applications on the same host machine without interfering with each other. However, since the containers share the same kernel as the host machine, it is important to configure the iptables rules in the container to ensure that it is secure and can communicate with the outside world. In this article, we will discuss how to configure the iptables in a Docker container.

Before we dive into how the configuration of iptables in a Docker container works, let’s first understand how the iptables in Docker work.

When you run a Docker container, it creates a virtual network interface which is like a virtual cable that connects the container to a virtual network. This virtual network is called a “bridge network” and it connects the containers to the host machine and to each other. The virtual network interface is given with an IP address in the bridge network which allows the container to talk to other containers and the host machine.

Iptables is used to control the traffic that enters and exits the container. Docker creates a set of Iptables rules that allow all traffic to and from the container, except for the traffic that is explicitly blocked by the host machine’s firewall rules. This means that the container can communicate with any IP address on the network, including the potentially harmful ones.

Let us now learn how we can configure the iptables in docker containers.

Configuring the Iptables in a Docker Container

To configure the iptables in a Docker container, you can use the same iptables commands that you would use on a regular Linux machine.

Note: There are some important considerations to keep in mind before we can start:

    • Since Docker containers share the same kernel as the host machine, any iptables rules that you add to the container will also affect the host machine. Therefore, you should be careful when adding rules to the container as they can potentially affect the other applications that run on the host machine.
    • You should be aware of the Docker-specific chains that are created by Docker when a container is started. These chains are used to manage the network traffic between the container and the host machine, as well as between multiple containers. The main chains that you should be familiar with are the DOCKER-USER, DOCKER-INPUT, DOCKER-OUTPUT, and DOCKER-FORWARD chains.

The DOCKER-USER chain is the first chain that is processed by the iptables rules for a container. This chain is used to allow or deny the traffic that is generated by the container itself, before it is sent to the host machine’s firewall rules.

The DOCKER-INPUT chain is used to filter the incoming traffic that is destined for the container. This chain is used to enforce the firewall rules for the container, and to block any traffic that is not explicitly allowed.

The DOCKER-OUTPUT chain is used to filter the outgoing traffic that is generated by the container. This chain is used to enforce the firewall rules for the container, and to block any traffic that is not explicitly allowed.

The DOCKER-FORWARD chain is used to manage the traffic that is forwarded between multiple containers, or between a container and the host machine. This chain is used to enforce the firewall rules for the container and to block any traffic that is not explicitly allowed.

Step 1: Configure the Iptables in a Docker Container

Run the following command to block all incoming traffic to a container from the iptables:

$iptables -A DOCKER-INPUT -j DROP

 
Note: This rule drops all the incoming traffic to the container, effectively blocking all connections to it.

    • The A option adds a rule to a chain.
    • The D option deletes a rule from a chain.

Step 2: Allow Specific Incoming Traffic

To allow specific incoming traffic to the container, you can add rules to the DOCKER-INPUT chain that allow the traffic from specific IP addresses or ports.

Run the following command to allow the incoming traffic on port 80 from the IP address 192.168.1.100:

$iptables -A DOCKER-INPUT -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT

 
This rule allows the incoming traffic on port 80 from the IP address 192.168.1.100 while blocking all other traffic to the container.

Step 3: Delete a Rule from a Chain

To delete a rule from a chain, you can use the D option with the iptables command.

Run the following command to delete the rule that we previously added to block all the incoming traffic to the container:

$iptables -D DOCKER-INPUT -j DROP

 
This deletes the rule from the DOCKER-INPUT chain which allows the incoming traffic to the container again.

Conclusion

Configuring the iptables rules in a Docker container is an important step in securing your containerized applications. By default, Docker creates permissive rules that allow all traffic to and from the container. However, with the help of iptables, you can create custom rules that control the traffic that enters and exits the container, thus limiting the risk of unauthorized access or malicious attacks. With the step-by-step guide that we provided in this article, you should be able to configure the iptables rules in your Docker container and improve the security of your containerized applications.

About the author

Zeeman Memon

Hi there! I'm a Software Engineer who loves to write about tech. You can reach out to me on LinkedIn.