Hey Rad, Thanks for your answer! I have added theses lines and now looks very similar before.
*iptables -N DOCKER* *iptables -A FORWARD -o docker0 -j DOCKER* *iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT* *iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT* *iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT* However, I am still getting errors. *docker: Error response from daemon: failed to create endpoint cranky_kilby on network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:8080 <http://172.17.0.2:8080> ! -i docker0: iptables: No chain/target/match by that name.* * (exit status 1).* This is my iptables -L output: *Chain FORWARD (policy DROP)* *target prot opt source destination * *DOCKER all -- anywhere anywhere * *ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED* *ACCEPT all -- anywhere anywhere * *ACCEPT all -- anywhere anywhere * *Chain OUTPUT (policy ACCEPT)* *target prot opt source destination * *ACCEPT all -- anywhere anywhere * *Chain DOCKER (1 references)* *target prot opt source destination* I hid the INPUT chain because is very big! Best Regards, On Wed, Apr 13, 2016 at 4:29 PM, Rad Gruchalski <ra...@gruchalski.com> wrote: > Hi Alfredo, > > The only thing you need is: > > -A FORWARD -o docker0 -j DOCKER > -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i docker0 ! -o docker0 -j ACCEPT > -A FORWARD -i docker0 -o docker0 -j ACCEPT > > Best regards, > Radek Gruchalski > ra...@gruchalski.com <ra...@gruchalski.com> > de.linkedin.com/in/radgruchalski/ > > > *Confidentiality:*This communication is intended for the above-named > person and may be confidential and/or legally privileged. > If it has come to you in error you must take no action based on it, nor > must you copy or show it to anyone; please delete/destroy and inform the > sender immediately. > > On Wednesday, 13 April 2016 at 21:27, Alfredo Carneiro wrote: > > Hello guys, > > I don't know if that is the right place to ask. So, since we use public > cloud, we are trying to hardening our servers allowing traffic just from > our subnetworks. However, when I tried to implement some iptables rules I > got problems with Docker, which couldn't find its chain anymore. > > Then, I am wondering if anyone has ever implemented any iptables rule in > this scenario. > > I've seen this[1] "tip", however, I think that it is not apply to this > case, because it is very "static". > > [1] - https://fralef.me/docker-and-iptables.html > > Best Regards, > > -- > Alfredo Miranda > > > -- Alfredo Miranda
