{"id":15641627,"url":"https://github.com/garutilorenzo/iptables-docker","last_synced_at":"2025-08-23T15:39:57.253Z","repository":{"id":42392268,"uuid":"417155788","full_name":"garutilorenzo/iptables-docker","owner":"garutilorenzo","description":"A bash solution for docker and iptables conflict","archived":false,"fork":false,"pushed_at":"2022-12-26T14:29:10.000Z","size":36,"stargazers_count":79,"open_issues_count":1,"forks_count":19,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-30T09:12:26.154Z","etag":null,"topics":["debian","docker","docker-swarm","firewall","iptables","iptables-configurations","iptables-firewall","iptables-persistent","linux","security","ubunutu"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/garutilorenzo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-10-14T14:09:55.000Z","updated_at":"2025-04-19T13:45:59.000Z","dependencies_parsed_at":"2023-01-31T00:14:57.512Z","dependency_job_id":null,"html_url":"https://github.com/garutilorenzo/iptables-docker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/garutilorenzo/iptables-docker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fiptables-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fiptables-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fiptables-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fiptables-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/garutilorenzo","download_url":"https://codeload.github.com/garutilorenzo/iptables-docker/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/garutilorenzo%2Fiptables-docker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271754940,"owners_count":24815323,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-23T02:00:09.327Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","docker","docker-swarm","firewall","iptables","iptables-configurations","iptables-firewall","iptables-persistent","linux","security","ubunutu"],"created_at":"2024-10-03T11:43:58.156Z","updated_at":"2025-08-23T15:39:57.227Z","avatar_url":"https://github.com/garutilorenzo.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# iptables-docker\n\n[![GitHub forks](https://img.shields.io/github/forks/garutilorenzo/iptables-docker)](https://github.com/garutilorenzo/iptables-docker/network)\n[![GitHub stars](https://img.shields.io/github/stars/garutilorenzo/iptables-docker)](https://github.com/garutilorenzo/iptables-docker/stargazers)\n![GitHub](https://img.shields.io/github/license/garutilorenzo/iptables-docker)\n[![GitHub issues](https://img.shields.io/github/issues/garutilorenzo/iptables-docker)](https://github.com/garutilorenzo/iptables-docker/issues)\n\n### A bash solution for docker and iptables conflict\n\nIf you’ve ever tried to setup firewall rules on the same machine where docker daemon is running you may have noticed that docker (by default) manipulate your iptables chains.\nIf you want the full control of your iptables rules this might be a problem.\n\nBefore you proceed read carefully the [important notes](#important-notes) section.\n\n### Table of Contents\n\n* [Docker and iptables](#docker-and-iptables)\n* [The problem](#the-problem)\n* [The solution](#the-solution)\n* [Usage](#usage)\n* [Test](#test-iptables-docker)\n* [Notes](#important-notes)\n* [Extending iptables-docker](#extending-iptables-docker)\n\n### Docker and iptables\n\nDocker is utilizing the iptables \"nat\" to resolve packets from and to its containers and \"filter\" for isolation purposes, by default docker creates some chains in your iptables setup:\n\n```\nsudo iptables -L\n\nChain INPUT (policy ACCEPT)\ntarget prot opt source destination \n\nChain FORWARD (policy DROP)\ntarget prot opt source destination \nDOCKER-USER all -- anywhere anywhere \nDOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere \nACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED\nDOCKER all -- anywhere anywhere \nACCEPT all -- anywhere anywhere \nACCEPT all -- anywhere anywhere \n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt source destination \n\nChain DOCKER (1 references)\ntarget prot opt source destination \n\nChain DOCKER-INGRESS (0 references)\ntarget prot opt source destination \n\nChain DOCKER-ISOLATION-STAGE-1 (1 references)\ntarget prot opt source destination \nDOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere \nRETURN all -- anywhere anywhere \n\nChain DOCKER-ISOLATION-STAGE-2 (1 references)\ntarget prot opt source destination \nDROP all -- anywhere anywhere \nRETURN all -- anywhere anywhere \n\nChain DOCKER-USER (1 references)\ntarget prot opt source destination \nRETURN all -- anywhere anywhere \n```\n\nnow for example we have the need to expose our nginx container to the world:\n\n```\ndocker run --name some-nginx -d -p 8080:80 nginx:latest\n47a12adff13aa7609020a1aa0863b0dff192fbcf29507788a594e8b098ffe47a\n\ndocker ps\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\n47a12adff13a nginx:latest \"/docker-entrypoint.…\" 27 seconds ago Up 24 seconds 0.0.0.0:8080-\u003e80/tcp, :::8080-\u003e80/tcp some-nginx\n```\n\nand now we can reach our nginx default page:\n\n```\ncurl -v http://192.168.25.200:8080\n\n* Trying 192.168.25.200:8080...\n* TCP_NODELAY set\n* Connected to 192.168.25.200 (192.168.25.200) port 8080 (#0)\n\u003e GET / HTTP/1.1\n\u003e Host: 192.168.25.200:8080\n\u003e User-Agent: curl/7.68.0\n\u003e Accept: */*\n\u003e \n* Mark bundle as not supporting multiuse\n\u003c HTTP/1.1 200 OK\n\u003c Server: nginx/1.21.1\n\u003c Date: Thu, 14 Oct 2021 10:31:38 GMT\n\u003c Content-Type: text/html\n\u003c Content-Length: 612\n\u003c Last-Modified: Tue, 06 Jul 2021 14:59:17 GMT\n\u003c Connection: keep-alive\n\u003c ETag: \"60e46fc5-264\"\n\u003c Accept-Ranges: bytes\n\u003c \n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003ctitle\u003eWelcome to nginx!\u003c/title\u003e\n\u003cstyle\u003e\n body {\n width: 35em;\n margin: 0 auto;\n font-family: Tahoma, Verdana, Arial, sans-serif;\n }\n...\n* Connection #0 to host 192.168.25.200 left intact\n```\n\n**NOTE** the connection test is made using an external machine, not the same machine where the docker container is running.\n\nDocker also add a \"magic\" iptables rule, which allow our container to reach the outside world:\n\n```\ndocker run --rm nginx curl ipinfo.io/ip\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 15 100 15 0 0 94 0 --:--:-- --:--:-- --:--:-- 94\n\n1.2.3.4\n```\n\nNow check what happened to our iptables rules:\n\n```\niptables -L\n\n...\nChain DOCKER (1 references)\ntarget prot opt source destination \nACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http\n...\n```\n\na new rule is appeared, but is not the only rule added to our chains.\n\nTo get a more detailed view of our iptables chain we can dump the full iptables rules with *iptables-save*:\n\n```\n# Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021\n*mangle\n:PREROUTING ACCEPT [33102:3022248]\n:INPUT ACCEPT [33102:3022248]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [32349:12119113]\n:POSTROUTING ACCEPT [32357:12120329]\nCOMMIT\n# Completed on Thu Oct 14 12:32:46 2021\n# Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021\n*nat\n:PREROUTING ACCEPT [1:78]\n:INPUT ACCEPT [1:78]\n:OUTPUT ACCEPT [13:1118]\n:POSTROUTING ACCEPT [13:1118]\n:DOCKER - [0:0]\n:DOCKER-INGRESS - [0:0]\n-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER\n-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER\n-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE\n-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE\n-A DOCKER -i docker0 -j RETURN\n-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80\nCOMMIT\n# Completed on Thu Oct 14 12:32:46 2021\n# Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021\n*filter\n:INPUT ACCEPT [4758:361293]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [4622:357552]\n:DOCKER - [0:0]\n:DOCKER-INGRESS - [0:0]\n:DOCKER-ISOLATION-STAGE-1 - [0:0]\n:DOCKER-ISOLATION-STAGE-2 - [0:0]\n:DOCKER-USER - [0:0]\n-A FORWARD -j DOCKER-USER\n-A FORWARD -j DOCKER-ISOLATION-STAGE-1\n-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -o docker0 -j DOCKER\n-A FORWARD -i docker0 ! -o docker0 -j ACCEPT\n-A FORWARD -i docker0 -o docker0 -j ACCEPT\n-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT\n-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -j RETURN\n-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -j RETURN\n-A DOCKER-USER -j RETURN\nCOMMIT\n# Completed on Thu Oct 14 12:32:46 2021\n```\n\nin our dump we can see some other rules added by docker:\n\n**DOCKER-INGRESS (nat table)**\n\n```\n-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE\n-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE\n-A DOCKER -i docker0 -j RETURN\n-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80\n```\n\n**DOCKER-USER (filter table)**\n\n```\n-A FORWARD -j DOCKER-USER\n-A FORWARD -j DOCKER-ISOLATION-STAGE-1\n-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -o docker0 -j DOCKER\n-A FORWARD -i docker0 ! -o docker0 -j ACCEPT\n-A FORWARD -i docker0 -o docker0 -j ACCEPT\n-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT\n-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -j RETURN\n-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -j RETURN\n-A DOCKER-USER -j RETURN\n```\n\nto explore in detail how iptables and docker work:\n\n* Docker [docs](https://docs.docker.com/network/iptables/)\n* Docker forum [question](https://forums.docker.com/t/understanding-iptables-rules-added-by-docker/77210)\n* [gist](https://gist.github.com/x-yuri/abf90a18895c62f8d4c9e4c0f7a5c188) from x-yuri \n* argus-sec.com [post](https://argus-sec.com/docker-networking-behind-the-scenes/)\n\n### The problem\n\nBut what happen if we stop and restart our firewall?\n\n```\nsystemctl stop ufw|firewalld # \u003c- the service (ufw or firewalld) may change from distro to distro\nsystemctl stop ufw|firewalld\n\n\ncurl -v http://192.168.25.200:8080\n* Trying 192.168.25.200:8080...\n* TCP_NODELAY set\n\n\ndocker run --rm nginx curl ipinfo.io/ip\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n 0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0\n\n```\n\nwe can see that:\n\n* our container is not reachable from the outside world\n* our container is not able to reach internet\n\n### The solution\n\nThe solution for this problem is a simple bash script (combined to an awk script) to manage our iptables rules.\nIn short the script parse the output of the *iptables-save* command and preserve a set of chains. The chains preserved are:\n\nfor table nat:\n\n* POSTROUTING\n* PREROUTING\n* DOCKER\n* DOCKER-INGRESS\n* OUTPUT\n\nfor table filter:\n\n* FORWARD\n* DOCKER-ISOLATION-STAGE-1\n* DOCKER-ISOLATION-STAGE-2\n* DOCKER\n* DOCKER-INGRESS\n* DOCKER-USER\n\n### Install iptables-docker\n\n#### Local install (sh)\n\n**NOTE** this kind of install use a static file (src/iptables-docker.sh). By default **only** ssh access to local machine is allowd. To allow specific traffic you have to edit manually this file with your own rules:\n\n``` \n # Other firewall rules\n # insert here your firewall rules\n $IPT -A INPUT -p tcp --dport 1234 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT\n```\n\n**NOTE2** if you use a swarm cluster uncomment the lines under *Swarm mode - uncomment to enable swarm access (adjust source lan)* and adjust your LAN subnet\n\nTo install iptables-docker on a local machine, clone this repository and run *sudo sh install.sh*\n\n```\nsudo sh install.sh \n\nSet iptables to iptables-legacy\nDisable ufw,firewalld\nSynchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.\nExecuting: /lib/systemd/systemd-sysv-install disable ufw\nFailed to stop firewalld.service: Unit firewalld.service not loaded.\nFailed to disable unit: Unit file firewalld.service does not exist.\nInstall iptables-docker.sh\nCreate systemd unit\nEnable iptables-docker.service\nCreated symlink /etc/systemd/system/multi-user.target.wants/iptables-docker.service → /etc/systemd/system/iptables-docker.service.\nstart iptables-docker.service\n```\n\n#### Automated install (ansible)\n\nYou can also use ansible to deploy iptables-docker everywhere. To do this adjust the settings under group_vars/main.yml.\n\n| Label | Default | Description |\n| ------- | ------- | ----------- |\n| `docker_preserve` | `yes` | Preserve docker iptables rules |\n| `swarm_enabled` | `no` | Tells to ansible to open the required ports for the swarm cluster |\n| `ebable_icmp_messages` | `yes` | Enable response to ping requests |\n| `swarm_cidr` | `192.168.1.0/24` | Local docker swarm subnet |\n| `ssh_allow_cidr` | `0.0.0.0/0` | SSH alloed subnet (default everywhere) |\n| `iptables_allow_rules` | `[]` | List of dict to dynamically open ports. Each dict has the following key: desc, proto, from, port. See group_vars/all.yml for examples |\n| `iptables_docker_uninstall` | `no` | Uninstall iptables-docker |\n\nNow create the inventory (hosts.ini file) or use an inline inventory and run the playbook:\n\n```\nansible-playbook -i hosts.ini site.yml\n```\n\n### Usage\n\nTo start the service use:\n\n```\nsudo systemctl start iptables-docker\n\nor \n\nsudo iptables-docker.sh start\n```\n\nTo stop the srevice use:\n\n```\nsudo systemctl stop iptables-docker\n\nor \n\nsudo iptables-docker.sh stop\n```\n\n### Test iptables-docker\n\nNow if you turn off the firewall with *sudo systemctl stop iptables-docker* and if you check the iptable-save output, you will see that the docker rules are still there:\n\n```\nsudo iptables-save\n\n# Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021\n*mangle\n:PREROUTING ACCEPT [346:23349]\n:INPUT ACCEPT [346:23349]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [340:24333]\n:POSTROUTING ACCEPT [340:24333]\nCOMMIT\n# Completed on Thu Oct 14 15:52:30 2021\n# Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021\n*nat\n:PREROUTING ACCEPT [0:0]\n:INPUT ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\n:POSTROUTING ACCEPT [0:0]\n:DOCKER - [0:0]\n:DOCKER-INGRESS - [0:0]\n-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER\n-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER\n-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE\n-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE\n-A DOCKER -i docker0 -j RETURN\n-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80\nCOMMIT\n# Completed on Thu Oct 14 15:52:30 2021\n# Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021\n*filter\n:INPUT ACCEPT [357:24327]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [355:26075]\n:DOCKER - [0:0]\n:DOCKER-INGRESS - [0:0]\n:DOCKER-ISOLATION-STAGE-1 - [0:0]\n:DOCKER-ISOLATION-STAGE-2 - [0:0]\n:DOCKER-USER - [0:0]\n-A FORWARD -j DOCKER-USER\n-A FORWARD -j DOCKER-ISOLATION-STAGE-1\n-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n-A FORWARD -o docker0 -j DOCKER\n-A FORWARD -i docker0 ! -o docker0 -j ACCEPT\n-A FORWARD -i docker0 -o docker0 -j ACCEPT\n-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT\n-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2\n-A DOCKER-ISOLATION-STAGE-1 -j RETURN\n-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP\n-A DOCKER-ISOLATION-STAGE-2 -j RETURN\n-A DOCKER-USER -j RETURN\nCOMMIT\n# Completed on Thu Oct 14 15:52:30 2021\n```\n\nour container is still accesible form the outside:\n\n```\n curl -v http://192.168.25.200:8080\n* Trying 192.168.25.200:8080...\n* TCP_NODELAY set\n* Connected to 192.168.25.200 (192.168.25.200) port 8080 (#0)\n\u003e GET / HTTP/1.1\n\u003e Host: 192.168.25.200:8080\n\u003e User-Agent: curl/7.68.0\n\u003e Accept: */*\n\u003e \n* Mark bundle as not supporting multiuse\n\u003c HTTP/1.1 200 OK\n\u003c Server: nginx/1.21.1\n\u003c Date: Thu, 14 Oct 2021 13:53:33 GMT\n\u003c Content-Type: text/html\n\u003c Content-Length: 612\n\u003c Last-Modified: Tue, 06 Jul 2021 14:59:17 GMT\n\u003c Connection: keep-alive\n\u003c ETag: \"60e46fc5-264\"\n\u003c Accept-Ranges: bytes\n```\n\nand our container can reach internet:\n\n```\ndocker run --rm nginx curl ipinfo.io/ip\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 15 100 15 0 0 94 0 --:--:-- --:--:-- --:--:-- 94\nmy-public-ip-address\n```\n\n### Important notes\n\nBefore install iptables-docker please read this notes:\n\n* both local install and ansible install configure your system to use **iptables-legacy**\n* by default **only** port 22 is allowed\n* ufw and firewalld will be permanently **disabled**\n* filtering on all docker interfaces is disabled\n\nDocker interfaces are:\n\n* vethXXXXXX interfaces\n* br-XXXXXXXXXXX interfaces\n* docker0 interface\n* docker_gwbridge interface \n\n### Extending iptables-docker\n\nYou can extend or modify iptables-docker by editing:\n\n* src/iptables-docker.sh for the local install (sh)\n* roles/iptables-docker/templates/iptables-docker.sh.j2 template file for the automated install (ansible)\n\n### Uninstall\n\n#### Local install (sh)\n\nRun uninstall.sh\n\n#### Automated install (ansible)\n\nset the variable \"iptables_docker_uninstall\" to \"yes\" into group_vars/all.yml and run the playbook.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgarutilorenzo%2Fiptables-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgarutilorenzo%2Fiptables-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgarutilorenzo%2Fiptables-docker/lists"}