Server Fault Asked by Ural on December 27, 2021
I am using Gentoo and Docker. I have bunch of own iptables rules, and keep them in /var/lib/iptables/rules-save.
Docker adding bunch of own rules when start. It seems that iptables is auto-saving each time to rules-save, however I thought this file acts like /etc/iptables/rules.v4 from iptables-persistent ubuntu package.
My question is, how to properly manage all rules? Is it safe to load previously saved docker rules before docker starts? If docker decided to change some rules, it will not happen in such setup?
When I am adding a new rule, I do it manually with iptables -I, then edit /var/lib/iptables/rules-save and add there too.
I think it is not safe to just add the rule and reload all rules from that file, because of docker.
I need to add a rule to DOCKER-ISOLATION chain and be sure this rule exist BEFORE any DOCKER-ISOLATION rules added by docker, even if docker restarts.
Please advice, how to safely manage iptables rules with docker.
In my experience, you should ignore docker entirely in most situations.
It will gladly adjust your iptables rules to suit its needs, and you shouldn't need to accommodate in any way.
I use docker on systems where the firewall is managed by:
And in all cases, I have nothing in place for docker, not even the DOCKER-ISOLATION chain - docker normally puts that in place when it starts up.
If you do need to make firewall changes on the fly, then I agree that reloading from your saved rules file might not be the best way.
You should probably manually add the rule (e.g. iptables -A), and edit your rule file, but not do a restore from that rule file.
It might be possible to reload the docker daemon in order to have it restore its own firewall rules, but I can't test that just now, and would in general try and avoid doing so.
Answered by iwaseatenbyagrue on December 27, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP