Custom IPTables rules

2016-04-13 Thread Alfredo Carneiro
Hello guys, I don't know if that is the right place to ask. So, since we use public cloud, we are trying to hardening our servers allowing traffic just from our subnetworks. However, when I tried to implement some iptables rules I got problems with Docker, which couldn't find its chain anymore. T

Re: Custom IPTables rules

2016-04-13 Thread Rad Gruchalski
Hi Alfredo, The only thing you need is: -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT Best regards,
 Radek Gruchalski 
ra...@gruchalski

Re: Custom IPTables rules

2016-04-13 Thread Alfredo Carneiro
Hey Rad, Thanks for your answer! I have added theses lines and now looks very similar before. *iptables -N DOCKER* *iptables -A FORWARD -o docker0 -j DOCKER* *iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT* *iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEP

Re: Custom IPTables rules

2016-04-13 Thread Rad Gruchalski
Have you tried restarting docker daemon afterwards? Best regards,
 Radek Gruchalski 
ra...@gruchalski.com (mailto:ra...@gruchalski.com)
 (mailto:ra...@gruchalski.com) de.linkedin.com/in/radgruchalski/ (http://de.linkedin.com/in/radgruchalski/) Confidentiality: This communication is inte

Re: Custom IPTables rules

2016-04-13 Thread Alfredo Carneiro
Oh man! Really thanks! It worked! On Wed, Apr 13, 2016 at 4:57 PM, Rad Gruchalski wrote: > Have you tried restarting docker daemon afterwards? > > Best regards, > Radek Gruchalski > ra...@gruchalski.com > de.linkedin.com/in/radgruchalski/ > > > *Confidentiality:*This communication is intended f

Re: Custom IPTables rules

2016-04-13 Thread Avinash Sridharan
You need a docker chain in the NAT table as well. The output you are showing is in the default table. Try "iptable -t nat -L" to list all rules and chain in the NAT table. You can add the docker chain in the NAT table "iptable -t nat -N Docker" to create a docker Chain in the NAT table. As Rad su

Re: Custom IPTables rules

2016-04-13 Thread Rad Gruchalski
I actually found the complete thing you need. Here we go: *nat … :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE # This is where the docker NAT rules

Re: Custom IPTables rules

2016-04-13 Thread Alfredo Carneiro
Unfortunately, I am facing some problemseven with my INPUT rules allowing just some subnetworks, Docker is accepting connections from everywhere. On Wed, Apr 13, 2016 at 5:06 PM, Rad Gruchalski wrote: > I actually found the complete thing you need. Here we go: > > *nat > … > > :DOCKER - [0:0

Re: Custom IPTables rules

2016-04-13 Thread Rad Gruchalski
Alfredo, I have no examples of locking that one on hand but I can imagine that if should be feasible to lock that down. Best regards,
 Radek Gruchalski 
ra...@gruchalski.com (mailto:ra...@gruchalski.com)
 (mailto:ra...@gruchalski.com) de.linkedin.com/in/radgruchalski/ (http://de.link