mesos-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Avinash Sridharan <avin...@mesosphere.io>
Subject Re: Custom IPTables rules
Date Wed, 13 Apr 2016 19:59:31 GMT
You need a docker chain in the NAT table as well. The output you are
showing is in the default table.

Try "iptable -t nat -L" to list all rules and chain in the NAT table. You
can add the docker chain in the NAT table
"iptable -t nat -N Docker" to create a docker Chain in the NAT table.

As Rad suggested restarting the docker daemon would allow Docker to
recreate all the iptable chains and rules it needs. That might be a cleaner
approach, than trying to insert rules on your own.

On Wed, Apr 13, 2016 at 12:53 PM, Alfredo Carneiro <
alfredo@simbioseventures.com> wrote:

> Hey Rad,
>
> Thanks for your answer! I have added theses lines and now looks very
> similar before.
>
> *iptables -N DOCKER*
> *iptables -A FORWARD -o docker0 -j DOCKER*
> *iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED
> -j ACCEPT*
> *iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT*
> *iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT*
>
> However, I am still getting errors.
>
> *docker: Error response from daemon: failed to create endpoint
> cranky_kilby on network bridge: iptables failed: iptables --wait -t nat -A
> DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:8080
> <http://172.17.0.2:8080> ! -i docker0: iptables: No chain/target/match by
> that name.*
> * (exit status 1).*
>
> This is my iptables -L output:
>
> *Chain FORWARD (policy DROP)*
> *target     prot opt source               destination         *
> *DOCKER     all  --  anywhere             anywhere            *
> *ACCEPT     all  --  anywhere             anywhere             ctstate
> RELATED,ESTABLISHED*
> *ACCEPT     all  --  anywhere             anywhere            *
> *ACCEPT     all  --  anywhere             anywhere            *
>
> *Chain OUTPUT (policy ACCEPT)*
> *target     prot opt source               destination         *
> *ACCEPT     all  --  anywhere             anywhere            *
>
> *Chain DOCKER (1 references)*
> *target     prot opt source               destination*
>
> I hid the INPUT chain because is very big!
>
> Best Regards,
>
> On Wed, Apr 13, 2016 at 4:29 PM, Rad Gruchalski <radek@gruchalski.com>
> wrote:
>
>> Hi Alfredo,
>>
>> The only thing you need is:
>>
>> -A FORWARD -o docker0 -j DOCKER
>> -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
>> -A FORWARD -i docker0 -o docker0 -j ACCEPT
>>
>> Best regards,
>> Radek Gruchalski
>> radek@gruchalski.com <radek@gruchalski.com>
>> de.linkedin.com/in/radgruchalski/
>>
>>
>> *Confidentiality:*This communication is intended for the above-named
>> person and may be confidential and/or legally privileged.
>> If it has come to you in error you must take no action based on it, nor
>> must you copy or show it to anyone; please delete/destroy and inform the
>> sender immediately.
>>
>> On Wednesday, 13 April 2016 at 21:27, Alfredo Carneiro wrote:
>>
>> Hello guys,
>>
>> I don't know if that is the right place to ask. So, since we use public
>> cloud, we are trying to hardening our servers allowing traffic just from
>> our subnetworks. However, when I tried to implement some iptables rules I
>> got problems with Docker, which couldn't find its chain anymore.
>>
>> Then, I am wondering if anyone has ever implemented any iptables rule in
>> this scenario.
>>
>> I've seen this[1] "tip", however, I think that it is not apply to this
>> case, because it is very "static".
>>
>> [1] - https://fralef.me/docker-and-iptables.html
>>
>> Best Regards,
>>
>> --
>> Alfredo Miranda
>>
>>
>>
>
>
> --
> Alfredo Miranda
>



-- 
Avinash Sridharan, Mesosphere
+1 (323) 702 5245

Mime
View raw message