mesos-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alfredo Carneiro <alfr...@simbioseventures.com>
Subject Re: Custom IPTables rules
Date Wed, 13 Apr 2016 19:53:44 GMT
Hey Rad,

Thanks for your answer! I have added theses lines and now looks very
similar before.

*iptables -N DOCKER*
*iptables -A FORWARD -o docker0 -j DOCKER*
*iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT*
*iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT*
*iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT*

However, I am still getting errors.

*docker: Error response from daemon: failed to create endpoint cranky_kilby
on network bridge: iptables failed: iptables --wait -t nat -A DOCKER -p tcp
-d 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:8080
<http://172.17.0.2:8080> ! -i docker0: iptables: No chain/target/match by
that name.*
* (exit status 1).*

This is my iptables -L output:

*Chain FORWARD (policy DROP)*
*target     prot opt source               destination         *
*DOCKER     all  --  anywhere             anywhere            *
*ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED*
*ACCEPT     all  --  anywhere             anywhere            *
*ACCEPT     all  --  anywhere             anywhere            *

*Chain OUTPUT (policy ACCEPT)*
*target     prot opt source               destination         *
*ACCEPT     all  --  anywhere             anywhere            *

*Chain DOCKER (1 references)*
*target     prot opt source               destination*

I hid the INPUT chain because is very big!

Best Regards,

On Wed, Apr 13, 2016 at 4:29 PM, Rad Gruchalski <radek@gruchalski.com>
wrote:

> Hi Alfredo,
>
> The only thing you need is:
>
> -A FORWARD -o docker0 -j DOCKER
> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
> -A FORWARD -i docker0 -o docker0 -j ACCEPT
>
> Best regards,
> Radek Gruchalski
> radek@gruchalski.com <radek@gruchalski.com>
> de.linkedin.com/in/radgruchalski/
>
>
> *Confidentiality:*This communication is intended for the above-named
> person and may be confidential and/or legally privileged.
> If it has come to you in error you must take no action based on it, nor
> must you copy or show it to anyone; please delete/destroy and inform the
> sender immediately.
>
> On Wednesday, 13 April 2016 at 21:27, Alfredo Carneiro wrote:
>
> Hello guys,
>
> I don't know if that is the right place to ask. So, since we use public
> cloud, we are trying to hardening our servers allowing traffic just from
> our subnetworks. However, when I tried to implement some iptables rules I
> got problems with Docker, which couldn't find its chain anymore.
>
> Then, I am wondering if anyone has ever implemented any iptables rule in
> this scenario.
>
> I've seen this[1] "tip", however, I think that it is not apply to this
> case, because it is very "static".
>
> [1] - https://fralef.me/docker-and-iptables.html
>
> Best Regards,
>
> --
> Alfredo Miranda
>
>
>


-- 
Alfredo Miranda

Mime
View raw message