Skip to content

gnomix/docker_iptables

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
circle.yml
circle.yml
 
 
docker_iptables.py
docker_iptables.py
 
 
setup.py
setup.py
 
 

Repository files navigation

docker_iptables

This script is intended to handle Docker iptables port-forwardings manually, for those times when you can't let Docker manage iptables on its own because it conflicts with other things on the system that are also trying to manage iptables.

Usage

Assumptions / Pre-reqs:

  • systemd is your init and containers will be managed by systemd .service units.
  • Canonical source for iptables rules is /etc/iptables.d/ and /etc/ip6tables.d/
  • A service named iptables.service exists and when stated or restarted will flush all running iptables rules and reload rulesfrom the .d directories.

Using this script:

  1. The docker daemon should be configured to start with --iptables=false.

  2. Create an /etc/iptables.d/10_docker file with the following rules. These are the base rules that would normally get created when the docker daemon is started. NOTE: You must use a chain name other than DOCKER because even with --iptables=false docker will remove this chain on startup (bug in docker?).

     *nat
 :DOCKER_CONTAINERS - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER_CONTAINERS
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER_CONTAINERS
 -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
 COMMIT
 *filter
 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
 -A FORWARD -i docker0 -o docker0 -j ACCEPT
 COMMIT

  3. ExecStartPost= and ExecStopPost= commands in each docker container .service:

     [Unit]
 Description=hello-world docker service
 After=docker.service
 Requires=docker.service

 [Service]
 SyslogIdentifier=hello-world
 ExecStartPre=-/usr/bin/docker rm hello-world
 ExecStart=/usr/bin/docker run  --name="hello-world" --publish="5000:5000" --rm=true quay.io/getpantheon/hello-world:master
 ExecStartPost=/opt/titan/utilities/docker/docker-iptables.py create hello-world
 ExecStop=-/usr/bin/docker stop hello-world
 ExecStopPost=/opt/titan/utilities/docker/docker-iptables.py delete hello-world
 Restart=always
 RestartSec=10s
 TimeoutStartSec=120
 TimeoutStopSec=15

 [Install]
 WantedBy=multi-user.target

Manual usage:

The script can also be run against any running container:

docker-iptables.py create container-name
docker-iptables.py delete container-name

The above commands will read the port mappings from docker inspect of the running container and add or delete the rules from /etc/iptables.d. It will also call systemctl restart iptables.service to load or remove the rules from the running config.

Testing

  1. run unit tests: python setup.py test
  2. run pylint test: pylint docker_iptables.py

Contributing

  1. Do work in a branch
  2. Add tests, ensure tests pass on Circle
  3. Bump version in setup.py in your branch
  4. Send PR to master branch

About

Utility to help manually manage iptables port mappings of docker containers

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 100.0%