How to protect iptables when we use docker-compose

How to protect iptables when we use docker-compose. By default docker dynamically add some rules to iptables and you can't flush or manage firewall as usual. I sow many solutions, like save current docker rules and after returning back... I don't think it is a good idea... If docker can't deal with FW - we need free him from this task. Here about docker-compose demonization with systemd.


No manage iptables anymore
# cat /etc/docker/daemon.json 
{  "log-driver": "journald",  "iptables": false}

Static NAT configuration
#!/bin/sh

/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -A POSTROUTING -s 10.100.0.1/24 -o docker0 -j MASQUERADE -t nat
/sbin/iptables -A POSTROUTING -s 10.100.0.1/24 -o eth0 -j MASQUERADE -t nat

/sbin/iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
/sbin/iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT

How configure docker-compose.yml (version 3 it's very important)
version: '3'
...
networks:
  default:
    driver: bridge
    driver_opts: {com.docker.network.enable_ipv6: 'false'}
    ipam:
      config:
      - {subnet: 10.100.0.1/24}
      driver: default
...
services:
  nginx-d1:
    container_name: nginx-d1
    hostname: nginx-d1
    image: nginx:1.14
    links: [fluentd, php-d1]
    logging:
      driver: fluentd
      options: {tag: nginx-d1}
    ports: ['443:443', '80:80']
    volumes: [
      '/data/code:/code', 
      '/srv/docker-compose/configs/nginx-d1/conf.d:/etc/nginx/conf.d'
    ]
...

Comments

Popular posts from this blog