Docker and iptables
Estimated reading time: 2 minutesOn Linux, Docker manipulates iptables rules to provide network isolation.
This is an implementation detail, and you should not modify the rules Docker
inserts into your iptables policies.
Add iptables policies before Docker’s rules
All of Docker’s iptables rules are added to the DOCKER chain. Do not
manipulate this table manually. If you need to add rules which load before
Docker’s rules, add them to the DOCKER-USER chain. These rules are loaded
before any rules Docker creates automatically.
Restrict connections to the Docker daemon
By default, all external source IPs are allowed to connect to the Docker daemon. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, the following rule restricts external access to all IP addresses except 192.168.1.1:
$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP
You could instead allow connections from a source subnet. The following rule only allows access from the subnet 192.168.1.0/24:
$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
Finally, you can specify a range of IP addresses to accept using --src-range
(Remember to also add -m iprange when using --src-range or --dst-range):
$ iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.168.1.1-192.168.1.3 -j DROP
You can combine -s or --src-range with -d or --dst-range to control both
the source and destination. For instance, if the Docker daemon listens on both
192.168.1.99 and 10.1.2.3, you can make rules specific to 10.1.2.3 and leave
192.168.1.99 open.
iptables is complicated and more complicated rule are out of scope for this
topic. See the Netfilter.org HOWTO
for a lot more information.
Prevent Docker from manipulating iptables
To prevent Docker from manipulating the iptables policies at all, set the
iptables key to false in /etc/docker/daemon.json. This is inappropriate
for most users, because the iptables policies then need to be managed by hand.