kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Update networking.md with new iptables behaviour

Browse source 
Docker-DCO-1.1-Signed-off-by: Ian Bishop <ianbishop@pace7.com> (github: porjo)
This commit is contained in:
Ian Bishop 2014-12-01 11:28:25 +10:00
parent 0da92633b4
commit 137ceae913
1 changed files with 44 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
docs/sources/articles/networking.md
View file

@ -184,30 +184,46 @@ running. The options then modify this default configuration.
<a name="the-world"></a> <a name="the-world"></a>
Whether a container can talk to the world is governed by one main factor. Whether a container can talk to the world is governed by two factors.
Is the host machine willing to forward IP packets? This is governed 1. Is the host machine willing to forward IP packets? This is governed
by the `ip_forward` system parameter. Packets can only pass between by the `ip_forward` system parameter. Packets can only pass between
containers if this parameter is `1`. Usually you will simply leave containers if this parameter is `1`. Usually you will simply leave
the Docker server at its default setting `--ip-forward=true` and the Docker server at its default setting `--ip-forward=true` and
Docker will go set `ip_forward` to `1` for you when the server Docker will go set `ip_forward` to `1` for you when the server
starts up. To check the setting or turn it on manually: starts up. To check the setting or turn it on manually:
# Usually not necessary: turning on forwarding,
# on the host where your Docker server is running
```
$ cat /proc/sys/net/ipv4/ip_forward $ cat /proc/sys/net/ipv4/ip_forward
0 0
$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward $ echo 1 > /proc/sys/net/ipv4/ip_forward
$ cat /proc/sys/net/ipv4/ip_forward $ cat /proc/sys/net/ipv4/ip_forward
1 1
```
Many using Docker will want `ip_forward` to be on, to at Many using Docker will want `ip_forward` to be on, to at
least make communication *possible* between containers and least make communication *possible* between containers and
the wider world. the wider world.
May also be needed for inter-container communication if you are May also be needed for inter-container communication if you are
in a multiple bridge setup. in a multiple bridge setup.
2. Do your `iptables` allow this particular connection? Docker will
never make changes to your system `iptables` rules if you set
`--iptables=false` when the daemon starts. Otherwise the Docker
server will append forwarding rules to the `DOCKER` filter chain.
Docker will not delete or modify any pre-existing rules from the `DOCKER`
filter chain. This allows the user to create in advance any rules required
to further restrict access to the containers.
Docker's forward rules permit all external source IPs by default. To allow
only a specific IP or network to access the containers, insert a negated
rule at the top of the `DOCKER` filter chain. For example, to restrict
external access such that *only* source IP 8.8.8.8 can access the
containers, the following rule could be added:
$ iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
## Communication between containers ## Communication between containers
@ -222,12 +238,12 @@ system level, by two factors.
between them. See the later sections of this document for other between them. See the later sections of this document for other
possible topologies. possible topologies.
2. Do your `iptables` allow this particular connection to be made? 2. Do your `iptables` allow this particular connection? Docker will never
Docker will never make changes to your system `iptables` rules if make changes to your system `iptables` rules if you set
you set `--iptables=false` when the daemon starts. Otherwise the `--iptables=false` when the daemon starts. Otherwise the Docker server
Docker server will add a default rule to the `FORWARD` chain with a will add a default rule to the `FORWARD` chain with a blanket `ACCEPT`
blanket `ACCEPT` policy if you retain the default `--icc=true`, or policy if you retain the default `--icc=true`, or else will set the
else will set the policy to `DROP` if `--icc=false`. policy to `DROP` if `--icc=false`.
It is a strategic question whether to leave `--icc=true` or change it to It is a strategic question whether to leave `--icc=true` or change it to
`--icc=false` (on Ubuntu, by editing the `DOCKER_OPTS` variable in `--icc=false` (on Ubuntu, by editing the `DOCKER_OPTS` variable in
@ -267,6 +283,7 @@ the `FORWARD` chain has a default policy of `ACCEPT` or `DROP`:
... ...
Chain FORWARD (policy ACCEPT) Chain FORWARD (policy ACCEPT)
target prot opt source destination target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0
... ...
@ -278,9 +295,13 @@ the `FORWARD` chain has a default policy of `ACCEPT` or `DROP`:
... ...
Chain FORWARD (policy ACCEPT) Chain FORWARD (policy ACCEPT)
target prot opt source destination target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- 172.17.0.2 172.17.0.3 tcp spt:80 ACCEPT tcp -- 172.17.0.2 172.17.0.3 tcp spt:80
ACCEPT tcp -- 172.17.0.3 172.17.0.2 tcp dpt:80 ACCEPT tcp -- 172.17.0.3 172.17.0.2 tcp dpt:80
DROP all -- 0.0.0.0/0 0.0.0.0/0
> **Note**: > **Note**:
> Docker is careful that its host-wide `iptables` rules fully expose > Docker is careful that its host-wide `iptables` rules fully expose