How to protect iptables when we use docker-compose
How to protect iptables when we use docker-compose. By default docker dynamically add some rules to iptables and you can't flush or manage firewall as usual. I sow many solutions, like save current docker rules and after returning back... I don't think it is a good idea... If docker can't deal with FW - we need free him from this task. Here about docker-compose demonization with systemd.
No manage iptables anymore
Static NAT configuration
How configure docker-compose.yml (version 3 it's very important)
No manage iptables anymore
# cat /etc/docker/daemon.json
{ "log-driver": "journald", "iptables": false}
Static NAT configuration
#!/bin/sh /sbin/iptables -t nat -F PREROUTING /sbin/iptables -t nat -F POSTROUTING /sbin/iptables -A POSTROUTING -s 10.100.0.1/24 -o docker0 -j MASQUERADE -t nat /sbin/iptables -A POSTROUTING -s 10.100.0.1/24 -o eth0 -j MASQUERADE -t nat /sbin/iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT /sbin/iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT /sbin/iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
How configure docker-compose.yml (version 3 it's very important)
version: '3'
...
networks:
default:
driver: bridge
driver_opts: {com.docker.network.enable_ipv6: 'false'}
ipam:
config:
- {subnet: 10.100.0.1/24}
driver: default
...
services:
nginx-d1:
container_name: nginx-d1
hostname: nginx-d1
image: nginx:1.14
links: [fluentd, php-d1]
logging:
driver: fluentd
options: {tag: nginx-d1}
ports: ['443:443', '80:80']
volumes: [
'/data/code:/code',
'/srv/docker-compose/configs/nginx-d1/conf.d:/etc/nginx/conf.d'
]
...
Comments
Post a Comment