post: ferm rules for docker
This commit is contained in:
parent
7bf7c42b8f
commit
520e832b33
41
source/_posts/2014-11-01-ferm-rules-for-docker.markdown
Normal file
41
source/_posts/2014-11-01-ferm-rules-for-docker.markdown
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
layout: post
|
||||||
|
title: "Ferm rules for docker"
|
||||||
|
date: 2014-11-01 15:05:44 +0100
|
||||||
|
comments: true
|
||||||
|
categories:
|
||||||
|
- docker
|
||||||
|
---
|
||||||
|
|
||||||
|
The Docker daemon add his own custom rules by default to iptables. If you use
|
||||||
|
[ferm](http://ferm.foo-projects.org/) to manage your iptables rules, it is a
|
||||||
|
good idea to prepopulate rules for docker. Otherwise they will be overwritten by
|
||||||
|
ferm as it restarts.
|
||||||
|
|
||||||
|
To do so add the following lines at the top of your ferm.conf:
|
||||||
|
|
||||||
|
```
|
||||||
|
domain ip {
|
||||||
|
table filter chain FORWARD {
|
||||||
|
outerface docker0 mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
|
||||||
|
interface docker0 outerface !docker0 ACCEPT;
|
||||||
|
interface docker0 outerface docker0 ACCEPT;
|
||||||
|
}
|
||||||
|
table nat {
|
||||||
|
chain DOCKER;
|
||||||
|
chain PREROUTING {
|
||||||
|
mod addrtype dst-type LOCAL jump DOCKER;
|
||||||
|
}
|
||||||
|
chain OUTPUT {
|
||||||
|
daddr !127.0.0.0/8 mod addrtype dst-type LOCAL jump DOCKER;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain POSTROUTING {
|
||||||
|
saddr 172.17.0.0/16 outerface !docker0 MASQUERADE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
In my case docker's subnet is `172.17.0.0/16` and uses `docker0` as bridge
|
||||||
|
device.
|
||||||
Loading…
Reference in New Issue
Block a user