If I type iptables -L
there is this line in the output :
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http-alt
My container is exposed publicly and I can request a dummy http server from everywhere (tested). I try to remove that rule so only 80 is only exposed inside my server (localhost:80
). I tried :
root@ns25252:~# iptables -D DOCKER --destination 172.17.0.2 -p tcp --dport 80 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
As the error implies, it can't find the matching rule.. How should I type to remove the line ?
One of the ways to delete iptables rules is by rule specification. To do so, you can run the iptables command with the -D option followed by the rule specification. If you want to delete rules using this method, you can use the output of the rules list, iptables -S , for some help.
The default policy is ACCEPT, change the policy to DROP for all the INPUT, FORWARD, OUTPUT. For every firewall rule, we need to define two rules, i.e., one for In-coming and another for Out-going. If we trust the internal users, we can use the DROP for incoming rules, and the default outgoing will be ACCEPT.
The iptables firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the iptables ruleset. Rationale: Docker will never make changes to your system iptables rules unless you allow it to do so.
If you're running Docker on a host that is exposed to the Internet, you will probably want to have iptables policies in place that prevent unauthorized access to containers or other services running on your host.
It's usually easier to delete by number, unless there is a chance that the number could change between the time you listed the rules and the time you delete the rule.
Here's how to delete by line number:
# iptables -L --line-numbers
(snip)
Chain DOCKER (2 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http
(snip)
# iptables -D DOCKER 1
Alternatively, you can get the full specification by doing iptables -S
. Example:
# iptables -S
(snip)
-A DOCKER -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
(snip)
Turn the -A
into a -D
and use this as the args to iptables
to delete the rule:
# iptables -D DOCKER -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
NOTE: This answer perplexingly still gets upvotes from time to time. I have no idea what everyone is trying to actually accomplish, I just blindly answered an iptables-related question. If you want to start a Docker container that is not accessible to the outside world, that's an entirely different topic, and this is not an appropriate answer in your case. (Maybe start by not exposing/publishing the port.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With