From 520e832b33731dc6c8c41ff63eb154a2c3f94782 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 1 Nov 2014 15:13:50 +0100 Subject: [PATCH] post: ferm rules for docker --- .../2014-11-01-ferm-rules-for-docker.markdown | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 source/_posts/2014-11-01-ferm-rules-for-docker.markdown diff --git a/source/_posts/2014-11-01-ferm-rules-for-docker.markdown b/source/_posts/2014-11-01-ferm-rules-for-docker.markdown new file mode 100644 index 0000000..d1cca48 --- /dev/null +++ b/source/_posts/2014-11-01-ferm-rules-for-docker.markdown @@ -0,0 +1,41 @@ +--- +layout: post +title: "Ferm rules for docker" +date: 2014-11-01 15:05:44 +0100 +comments: true +categories: + - docker +--- + +The Docker daemon add his own custom rules by default to iptables. If you use +[ferm](http://ferm.foo-projects.org/) to manage your iptables rules, it is a +good idea to prepopulate rules for docker. Otherwise they will be overwritten by +ferm as it restarts. + +To do so add the following lines at the top of your ferm.conf: + +``` +domain ip { + table filter chain FORWARD { + outerface docker0 mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT; + interface docker0 outerface !docker0 ACCEPT; + interface docker0 outerface docker0 ACCEPT; + } + table nat { + chain DOCKER; + chain PREROUTING { + mod addrtype dst-type LOCAL jump DOCKER; + } + chain OUTPUT { + daddr !127.0.0.0/8 mod addrtype dst-type LOCAL jump DOCKER; + } + + chain POSTROUTING { + saddr 172.17.0.0/16 outerface !docker0 MASQUERADE; + } + } +} +``` + +In my case docker's subnet is `172.17.0.0/16` and uses `docker0` as bridge +device.