Skip to content

Instantly share code, notes, and snippets.

@pgaertig

pgaertig/gist:9c0e59954ea50f5af9c5cbfaa990360d

Created December 18, 2022 17:37
Download ZIP
Docker iptables
Raw
gistfile1.txt
# iptables-save
# Generated by iptables-save v1.8.7 on Sun Dec 18 17:35:25 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-7c4c14ed7a6c -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7c4c14ed7a6c -j DOCKER
-A FORWARD -i br-7c4c14ed7a6c ! -o br-7c4c14ed7a6c -j ACCEPT
-A FORWARD -i br-7c4c14ed7a6c -o br-7c4c14ed7a6c -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-7c4c14ed7a6c -o br-7c4c14ed7a6c -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-7c4c14ed7a6c -o br-7c4c14ed7a6c -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-7c4c14ed7a6c -o br-7c4c14ed7a6c -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-7c4c14ed7a6c -o br-7c4c14ed7a6c -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-7c4c14ed7a6c -o br-7c4c14ed7a6c -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-7c4c14ed7a6c -o br-7c4c14ed7a6c -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-7c4c14ed7a6c -o br-7c4c14ed7a6c -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-7c4c14ed7a6c ! -o br-7c4c14ed7a6c -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-7c4c14ed7a6c -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Dec 18 17:35:25 2022
# Generated by iptables-save v1.8.7 on Sun Dec 18 17:35:25 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-7c4c14ed7a6c -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 587 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 465 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 143 -j MASQUERADE
-A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-7c4c14ed7a6c -j RETURN
-A DOCKER ! -i br-7c4c14ed7a6c -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.2:443
-A DOCKER ! -i br-7c4c14ed7a6c -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.2:80
-A DOCKER ! -i br-7c4c14ed7a6c -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.18.0.3:993
-A DOCKER ! -i br-7c4c14ed7a6c -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.18.0.3:587
-A DOCKER ! -i br-7c4c14ed7a6c -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.18.0.3:465
-A DOCKER ! -i br-7c4c14ed7a6c -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.18.0.3:143
-A DOCKER ! -i br-7c4c14ed7a6c -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.18.0.3:25
COMMIT
# Completed on Sun Dec 18 17:35:25 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment