Packet filtering and firewalls

On Linux, Docker creates firewall rules to implement network isolation, port publishing and filtering.

Because these rules are required for the correct functioning of Docker bridge networks, you should not modify the rules created by Docker.

This page describes options that control Docker's firewall rules to implement functionality including port publishing, and NAT/masquerading.

Note

Docker creates firewall rules for bridge networks.

No rules are created for ipvlan, macvlan or host networking.

Firewall backend

By default, Docker Engine creates its firewall rules using iptables, see Docker with iptables. It also has support for nftables, see Docker with nftables.

For bridge networks, iptables and nftables have the same functionality.

Docker Engine option firewall-backend can be used to select whether iptables or nftables is used. See daemon configuration.

Docker on a router

On Linux, Docker needs "IP Forwarding" enabled on the host. So, it enables the sysctl settings net.ipv4.ip_forward and net.ipv6.conf.all.forwarding it they are not already enabled when it starts. When it does that, it also configures the firewall to drop forwarded packets unless they are explicitly accepted.

When Docker sets the default forwarding policy to "drop", it will prevent your Docker host from acting as a router. This is the recommended setting when IP Forwarding is enabled, unless router functionality is required.

To stop Docker from setting the forwarding policy to "drop", include "ip-forward-no-drop": true in /etc/docker/daemon.json, or add option --ip-forward-no-drop to the dockerd command line.

Note

With the experimental nftables backend, Docker does not enable IP forwarding itself, and it will not create a default "drop" nftables policy. See Migrating from iptables to nftables.

Prevent Docker from manipulating firewall rules

Setting the iptables or ip6tables keys to false in daemon configuration, will prevent Docker from creating most of its iptables or nftables rules. But, this option is not appropriate for most users, it is likely to break container networking for the Docker Engine.

For example, with Docker's firewalling disabled and no replacement rules, containers in bridge networks will not be able to access internet hosts by masquerading, but all of their ports will be accessible to hosts on the local network.

It is not possible to completely prevent Docker from creating firewall rules, and creating rules after-the-fact is extremely involved and beyond the scope of these instructions.

Integration with firewalld

If you are running Docker with the iptables or ip6tables options set to true, and firewalld is enabled on your system, in addition to its usual iptables or nftables rules, Docker creates a firewalld zone called docker, with target ACCEPT.

All bridge network interfaces created by Docker (for example, docker0) are inserted into the docker zone.

Docker also creates a forwarding policy called docker-forwarding that allows forwarding from ANY zone to the docker zone.

Docker and ufw

Uncomplicated Firewall (ufw) is a frontend that ships with Debian and Ubuntu, and it lets you manage firewall rules. Docker and ufw use firewall rules in ways that make them incompatible with each other.

When you publish a container's ports using Docker, traffic to and from that container gets diverted before it goes through the ufw firewall settings. Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.