Configure iptables to secure a server running Docker containers

by Gaël   Last Updated January 05, 2018 20:00 PM

I try to use Docker to run 2 containers (the issue is not specific to them):

  • MySQL (official container)
  • Redmine (official container)

Each container has a forwarded port:

  • MySQL: -> 3000/tcp
  • Redmine: -> 3306/tcp

As you can see, the goal is to make them accessible only within the host.

A Nginx server (not installed via Docker) listens to the port 80 and redirects any request to the Redmine container port (using proxy functionnalities: proxy_pass etc.).

All works perfectly at this point, when I go to the server ip, I can access to Redmine.

But, I'd want to add some security using iptables. So, the goal is to:

  • DROP all by default (this point is ok)
  • Allow Docker to make its business only within the local host
  • Allow the containers to access the Internet (to download dependencies, updates...)
  • Allow the access to SSH and Nginx (ok too)

First, I tried to add the --iptables=false option to stop docker messing with my iptables. After a reboot, I thought that, with clean iptables (all politics are set to ACCEPT by default, so nothing is done yet), all would work well. But that's not the case, I get a "502 Bad Gateway" response from Nginx. I don't really understand why Docker is unable to work without adding additional rules (if all is open, it should work... No?).

I tried to read the docs about advanced networking in Docker, I also tried multiple tutorials, but I can't find what is blocking Docker:

I'm not a Linux/Docker/SysAdmin expert so maybe, it will be obvious for some of you (at least, I wish!).

Don't hesitate to ask me more details if needed.

Thanks in advance for your answer.

Related Questions