docker iptables
Docker creates 4 iptables chains:
- DOCKER
- DOCKER-USER
- DOCKER-ISOLATION-STAGE-1
- DOCKER-ISOLATION-STAGE-2
The first two are described here:
https://docs.docker.com/network/iptables/
To see how Docker uses IPTables in action, it's best to run Docker on a Linux host that doesn't use IPTables. For examples, a fresh installation of Ubuntu server with nothing pre-installed except docker.
After installing Docker, IPTables looks like this:
vmware@docker:~$ sudo iptables -L [sudo] password for vmware: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere
In the output above, you can see the four chains.
Let's run some containers:
- MySQL (TCP 3306)
- Web (TCP 80)
This is what the DOCKER chain now looks like:
vmware@docker:~$ sudo iptables -L [sudo] password for vmware: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (3 references) target prot opt source destination ACCEPT tcp -- anywhere 192.168.144.2 tcp dpt:mysql ACCEPT tcp -- anywhere 192.168.144.4 tcp dpt:http Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (3 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere
In the output above, you can see the DOCKER chain which now has two entries. You can also take a detailed look which includes a packets/bytes counter and shows the interfaces:
vmware@docker:~/git/nwl-init-html$ sudo iptables -L -nv Chain INPUT (policy ACCEPT 8211 packets, 715K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 119 171K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 119 171K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 72 167K ACCEPT all -- * br-b0a981d644bf 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-b0a981d644bf 0.0.0.0/0 0.0.0.0/0 47 3520 ACCEPT all -- br-b0a981d644bf !br-b0a981d644bf 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-b0a981d644bf br-b0a981d644bf 0.0.0.0/0 0.0.0.0/0 15M 116G ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 9767 586K DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 5211K 21G ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 9767 586K ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-be2db5e852a0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-be2db5e852a0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-be2db5e852a0 !br-be2db5e852a0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-be2db5e852a0 br-be2db5e852a0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 588 packets, 103K bytes) pkts bytes target prot opt in out source destination Chain DOCKER (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- !br-b0a981d644bf br-b0a981d644bf 0.0.0.0/0 192.168.144.2 tcp dpt:3306 0 0 ACCEPT tcp -- !br-b0a981d644bf br-b0a981d644bf 0.0.0.0/0 192.168.144.4 tcp dpt:80 0 0 ACCEPT tcp -- !br-b0a981d644bf br-b0a981d644bf 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 47 3520 DOCKER-ISOLATION-STAGE-2 all -- br-b0a981d644bf !br-b0a981d644bf 0.0.0.0/0 0.0.0.0/0 5211K 21G DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-be2db5e852a0 !br-be2db5e852a0 0.0.0.0/0 0.0.0.0/0 21M 138G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (3 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * br-b0a981d644bf 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-be2db5e852a0 0.0.0.0/0 0.0.0.0/0 5442K 21G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 21M 138G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0