Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't delete docker container's default iptables rule

If I type iptables -L there is this line in the output :

Chain DOCKER (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http-alt

My container is exposed publicly and I can request a dummy http server from everywhere (tested). I try to remove that rule so only 80 is only exposed inside my server (localhost:80). I tried :

root@ns25252:~# iptables -D DOCKER  --destination 172.17.0.2 -p tcp --dport 80 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).

As the error implies, it can't find the matching rule.. How should I type to remove the line ?

like image 652
vdegenne Avatar asked Apr 29 '18 08:04

vdegenne


People also ask

How do I delete iptables rules?

One of the ways to delete iptables rules is by rule specification. To do so, you can run the iptables command with the -D option followed by the rule specification. If you want to delete rules using this method, you can use the output of the rules list, iptables -S , for some help.

What are the default iptables rules?

The default policy is ACCEPT, change the policy to DROP for all the INPUT, FORWARD, OUTPUT. For every firewall rule, we need to define two rules, i.e., one for In-coming and another for Out-going. If we trust the internal users, we can use the DROP for incoming rules, and the default outgoing will be ACCEPT.

Does Docker change iptables?

The iptables firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the iptables ruleset. Rationale: Docker will never make changes to your system iptables rules unless you allow it to do so.

Does Docker need iptables?

If you're running Docker on a host that is exposed to the Internet, you will probably want to have iptables policies in place that prevent unauthorized access to containers or other services running on your host.


1 Answers

It's usually easier to delete by number, unless there is a chance that the number could change between the time you listed the rules and the time you delete the rule.

Here's how to delete by line number:

# iptables -L --line-numbers
(snip)
Chain DOCKER (2 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http
(snip)
# iptables -D DOCKER 1

Alternatively, you can get the full specification by doing iptables -S. Example:

# iptables -S
(snip)
-A DOCKER -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
(snip)

Turn the -A into a -D and use this as the args to iptables to delete the rule:

# iptables -D DOCKER -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j ACCEPT

NOTE: This answer perplexingly still gets upvotes from time to time. I have no idea what everyone is trying to actually accomplish, I just blindly answered an iptables-related question. If you want to start a Docker container that is not accessible to the outside world, that's an entirely different topic, and this is not an appropriate answer in your case. (Maybe start by not exposing/publishing the port.)

like image 64
sneep Avatar answered Oct 26 '22 21:10

sneep