Docker - modifying IPTABLES for host from container

Question

I want to run a docker container with central log and fail2ban service to prevent from dos/ddos attacks.

I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.

There is a project ianblenke/docker-fail2ban however it does not work...

Giving the container flag privileged only allows me to control iptables on this container. Is there any way to control hosts iptables through container?

Regards.

I'm running multiply services on different containers and I would like to have a central container which will be responsible for preventing dos/ddos attacks... — Maciej Krajewski, May 11 '15 at 15:00
I'm exploring a teaching activity that uses iptables to partition containerised mongodb replicasets and similarly need to poke host vm iptables from inside a container. How do I do that (ie what commands in container allow the container to manipulate the host vm iptables?) — psychemedia, Jun 09 '15 at 13:37

score 17 · Answer 1 · answered Jun 13 '17 at 14:04

--privileged flag is not required anymore. Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW which will allow internal iptables.

It might be also worth noticing that in official Ubuntu images from Docker Hub iptables package is not installed. So general instruction should be

apt-get install iptables
run docker container with --net=host and --cap-add=NET_ADMIN --cap-add=NET_RAW options.

Also, if you have a docker image that is missing iptables package, and you don't want to create a custom image from it, you may run container with iptables in the same network space. E.g. if you have container container-without-iptables running, and you want to start some container-with-iptables in the same network namespace, you can do:

docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables

score 16 · Accepted Answer · answered May 11 '15 at 13:55

16

Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).

If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host option to docker run. From the docker-run(1) man page:

--net="bridge"
   Set the Network mode for the container
       'bridge': creates a new network stack for the container on the docker bridge
       'none': no networking for this container
       'container:': reuses another container network stack
       'host':  use  the host network stack inside the container.
       Note: the host mode gives the container full access to
       local system services such as D-bus and is therefore
       considered insecure.

You will need to run with both --privileged and --net=host.

answered May 11 '15 at 13:55

larsks

277,717
41
399
399

it worked I thought I was testing this, but I was using net="bridge" - it worked - thx. – Maciej Krajewski May 11 '15 at 15:09
Maciej, can you please tell how you got to the host's iptables from the container? – jeesty Jan 13 '16 at 16:31
Does it make sense, though? `dockerd` itself curates its own rules in the host's iptables. If you run anything that manipulates firewall rules, you risk messing up with the rules placed by `dockerd`. If anything, you need to be absolutely sure what that tool is doing to your iptables before letting it lose with `--privileged --net=host`. – JulioHM May 06 '19 at 04:07

Docker - modifying IPTABLES for host from container

2 Answers2

Linked