Menu
When the docker-demon starts it adds a couple of rules to iptables. When all rules are deleted via iptables -F i have to stop and restart the docker demon to re-create dockers rules.
Is there a way to have docker re-add it's additional rules?
757
Docker installs two custom iptables chains named DOCKER-USER and DOCKER , and it ensures that incoming packets are always checked by these two chains first. All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually.
Restart policy detailsA restart policy only takes effect after a container starts successfully. In this case, starting successfully means that the container is up for at least 10 seconds and Docker has started monitoring it. This prevents a container which does not start at all from going into a restart loop.
When a container is exited we can still start it back up, because a container stop doesn't mean that it's like dead or cannot be used again we can very easily stop and then start containers again at some point in the future.
To restart an existing container, we'll use the start command with the -a flag to attach to it and the -i flag to make it interactive, followed by either the container ID or name. Be sure to substitute the ID of your container in the command below: docker start -ai 11cc47339ee1.
the best way is to restart your docker service, then it'll re-add your docker rules to iptables. (on deb-based: sudo service docker restart)
however, if you just want to restore those rules without restarting your service, i saved mine so you can inspect, and adjust it to work for you, then load using sudo iptables-restore ./iptables-docker-ports.backup
edit and save this to ./iptables-docker-ports.backup
# Generated by iptables-save v1.4.21 on Thu Apr 30 20:48:42 2015 *nat :PREROUTING ACCEPT [18:1080] :INPUT ACCEPT [18:1080] :OUTPUT ACCEPT [22:1550] :POSTROUTING ACCEPT [22:1550] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A DOCKER ! -i docker0 -p tcp -m tcp --dport 3001 -j DNAT --to-destination 172.17.0.1:80 COMMIT # Completed on Thu Apr 30 20:48:42 2015 # Generated by iptables-save v1.4.21 on Thu Apr 30 20:48:42 2015 *filter :INPUT ACCEPT [495:53218] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [480:89217] :DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.1/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Thu Apr 30 20:48:42 2015 If you're running Ubuntu on the host, you can use the iptables-save utility to save the iptables rules to a file after you start the docker daemon. Then, once you flush the old rules, you can simply restore the original docker rules using iptables-restore & the saved rules file.
If you don't want to restore all the old iptables rules, you can alter the saved rules file to keep only the ones you need.
If you're running another operating system, you might find a similar alternative.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
