Docker and iptables

Estimated reading time: 2 minutes

On Linux, Docker manipulates iptables rules to provide network isolation. This is an implementation detail, and you should not modify the rules Docker inserts into your iptables policies.

Add iptables policies before Docker’s rules

All of Docker’s iptables rules are added to the DOCKER chain. Do not manipulate this table manually. If you need to add rules which load before Docker’s rules, add them to the DOCKER-USER chain. These rules are loaded before any rules Docker creates automatically.

Restrict connections to the Docker daemon

By default, all external source IPs are allowed to connect to the Docker daemon. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, the following rule restricts external access to all IP addresses except 192.168.1.1:

$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP

You could instead allow connections from a source subnet. The following rule only allows access from the subnet 192.168.1.0/24:

$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP

Finally, you can specify a range of IP addresses to accept using --src-range (Remember to also add -m iprange when using --src-range or --dst-range):

$ iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.168.1.1-192.168.1.3 -j DROP

You can combine -s or --src-range with -d or --dst-range to control both the source and destination. For instance, if the Docker daemon listens on both 192.168.1.99 and 10.1.2.3, you can make rules specific to 10.1.2.3 and leave 192.168.1.99 open.

iptables is complicated and more complicated rule are out of scope for this topic. See the Netfilter.org HOWTO for a lot more information.

Prevent Docker from manipulating iptables

To prevent Docker from manipulating the iptables policies at all, set the iptables key to false in /etc/docker/daemon.json. This is inappropriate for most users, because the iptables policies then need to be managed by hand.

Next steps

network, iptables