Menu
I want to run a docker container with central log and fail2ban service to prevent from dos/ddos attacks.
I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.
There is a project ianblenke/docker-fail2ban however it does not work...
Giving the container flag privileged only allows me to control iptables on this container. Is there any way to control hosts iptables through container?
Regards.
443
The iptables firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the iptables ruleset. Rationale: Docker will never make changes to your system iptables rules unless you allow it to do so.
Docker installs two custom iptables chains named DOCKER-USER and DOCKER , and it ensures that incoming packets are always checked by these two chains first. All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually.
On Docker for Linux, the IP address of the gateway between the Docker host and the bridge network is 172.17. 0.1 if you are using default networking. Do you see the problem already? They are different, so you cannot simply run docker-compose up -d and all operating systems behave the same.
When you connect an existing container to a different network using docker network connect , you can use the --ip or --ip6 flags on that command to specify the container's IP address on the additional network. In the same way, a container's hostname defaults to be the container's ID in Docker.
--privileged flag is not required anymore.
Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW which will allow internal iptables.
It might be also worth noticing that in official Ubuntu images from Docker Hub iptables package is not installed.
So general instruction should be
apt-get install iptables--net=host and --cap-add=NET_ADMIN --cap-add=NET_RAW options.Also, if you have a docker image that is missing iptables package, and you don't want to create a custom image from it, you may run container with iptables in the same network space. E.g. if you have container container-without-iptables running, and you want to start some container-with-iptables in the same network namespace, you can do:
docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables
Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).
If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host option to docker run. From the docker-run(1) man page:
--net="bridge"
Set the Network mode for the container
'bridge': creates a new network stack for the container on the docker bridge
'none': no networking for this container
'container:': reuses another container network stack
'host': use the host network stack inside the container.
Note: the host mode gives the container full access to
local system services such as D-bus and is therefore
considered insecure.
You will need to run with both --privileged and --net=host.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
