Update iptables.md

Extra information: $ docker run -d -p 7777:6379 --name data1 redis $ docker run -d -p 8888:6379 --name data2 redis $ sudo iptables -N DOCKER-USER-redis1 $ sudo iptables -A DOCKER-USER-redis1 -s 192.168.56.0/24 -p tcp -m tcp -j RETURN $ sudo iptables -A DOCKER-USER-redis1 -j REJECT --reject-with icmp-port-unreachable $ sudo iptables -N DOCKER-USER-redis2 $ sudo iptables -A DOCKER-USER-redis2 -s 10.0.24.0/24 -p tcp -m tcp -j RETURN $ sudo iptables -A DOCKER-USER-redis2 -j REJECT --reject-with icmp-port-unreachable $ sudo iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 7777 -j DOCKER-USER-redis1 $ sudo iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 8888 -j DOCKER-USER-redis2 "I think an example like this belongs in the docs as it probably covers what 99% of users are looking for: the ability to expose ports using `-p` but still be able to control traffic to them using common filters like `-s`." Note that --ctorigdstport matches the original destination port of the first packet of the connection, not the packet being filtered. So the dropping rule will also drop responses to the outgoing connections from Docker to the world on 5000-9999! Add --ctdir ORIGINAL to the DROP rule to match only incoming packets. See github.com/moby/moby/issues/22054#issuecomment-466663033 You can also specify which chains docker should use. For example, in the filter table, specify another chain instead of `FORWARD`. This allows you to use traditional tools to manage the firewall and decide when to pass control to docker. Information pulled from: moby/moby#33567 https://unrouted.io/2017/08/15/docker-firewall/ moby/libnetwork#1675
docker · Feb 26, 2019 · 9d7d5d2 · 9d7d5d2
1 parent 3080704
commit 9d7d5d2
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/network/iptables.md b/network/iptables.md
@@ -15,6 +15,51 @@ manipulate this table manually. If you need to add rules which load before
 Docker's rules, add them to the `DOCKER-USER` chain. These rules are loaded
 before any rules Docker creates automatically.
 
+### Add a DOCKER-USER filter chain to allow persistent rules 
+This can be useful if you need to pre-populate `iptables` rules that need to be in place before Docker runs. The following example creates a new chain named `FILTERS` in which network traffic from `INPUT` AND `DOCKER-USER` is put.
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:FILTERS - [0:0]
+:DOCKER-USER - [0:0]
+
+-F INPUT
+-F DOCKER-USER
+-F FILTERS
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type any -j ACCEPT
+-A INPUT -j FILTERS
+
+-A DOCKER-USER -i ens33 -j FILTERS
+
+-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A FILTERS -m state --state NEW -s 1.2.3.4/32 -j ACCEPT
+-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A FILTERS -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
+-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
+-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A FILTERS -j REJECT --reject-with icmp-host-prohibited
+
+COMMIT
+Load this into the kernel with:
+```
+iptables-restore -n /etc/iptables.conf
+```
+
+Use the previous FILTERS chain setup with the following configuration to allow `icmp` to the docker host and allow host port 22 access and container port 5222 access:
+
+```
+-A FILTERS -p icmp --icmp-type any -s client_a/32 -j ACCEPT
+-A FILTERS -p icmp --icmp-type any -j DROP
+-A FILTERS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp -s client_a/32 --dport 22 -j ACCEPT
+-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp -s client_a/32 --ctorigdstport 5222 -j ACCEPT
+-A FILTERS -j DROP
+```
+
 ### Restrict connections to the Docker daemon
 
 By default, all external source IPs are allowed to connect to the Docker daemon.