Docker - IPTABLES modification for a host from a container

Question

Docker - IPTABLES modification for a host from a container

I want to launch a fail2ban container using central log and fail2ban to prevent dos / ddos attacks.

I had a problem launching a container with such capabilities that it could also change iptables hosts.

There is an ianblenke / docker-fail2ban project , however it does not work ...

Granting container privileges only allows me to control iptables in this container. Is there a way to control iptables hosts through a container?

Sincerely.

+5

docker iptables fail2ban

Maciej krajewski May 11, '15 at 13:30

source share

2 answers

Flag

--privileged no longer required. Starting with Docker 1.2, you can run your image with the options --cap-add=NET_ADMIN and --cap-add=NET_RAW , which will allow you to use internal iptables.

It can also be noted that in official Ubuntu images from the Docker Hub package iptables not installed. Therefore, the general instruction should be

apt-get install iptables
start the --net=host container with the parameters --net=host and --cap-add=NET_ADMIN --cap-add=NET_RAW .

In addition, if you have a docker image in which the iptables package is missing, and you do not want to create a custom image from it, you can start the container with iptables in the same network space. For instance. if you have a container container-without-iptables , and you want to run several container-with-iptables in the same namespace on the network, you can do:

 docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables

+2

Dmitriusan Jun 13 '17 at 2:04

source share

larsks · Accepted Answer · 2015-05-11T13:55:10+0000

By default, docker containers run inside an isolated namespace on the network, where they do not have access to the host network configuration (including iptables).

If you want your container to be able to change the host network configuration, you need to pass the --net=host option to docker run . On the docker-run(1) man page:

 --net="bridge" Set the Network mode for the container 'bridge': creates a new network stack for the container on the docker bridge 'none': no networking for this container 'container:': reuses another container network stack 'host': use the host network stack inside the container. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.

You will need to work with both --privileged and --net=host .

Docker - IPTABLES modification for a host from a container

More articles: