The minimum permission to open iptables in the Docker container

The minimum permission to open iptables in the Docker container

Dcoker containers sometimes need to be started using iptables in the container. By default, docker run is started in a normal way without permission to use iptables. So how can you use iptables in the container? How do I turn permissions on?

So how do you configure the permissions for this container when docker does run? The main use of --privileged or -- cap-ES17en, -- cap-ES19en to open or limit the capacity of the container itself. Examples are given below to illustrate:

Such as:

One image for aaa will start as the container named bbb and needs to use iptables function in the container. It can be opened by using --privileged=true, for example:

~$ docker run --privileged=true -d -p 4489:4489/tcp --name bbb aaa

After executing the above commands, you can enter the container to configure iptables:

~$ docker exec -it cg_openvpn /bin/bash
 ~ #iptables -A INPUT -s 192.168.1.156 -j DROP
/# iptables -nvL               
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target   prot opt in   out   source        destination     
  0   0 DROP    all -- *   *    192.168.1.156    0.0.0.0/0

But this opens up all the capabilities of the system to the docker container, which is a very insecure approach to the host, for example, to operate directly on devices in the host. If the permissions required by iptables are open, and other permissions are not, the following command parameters are used to start docker to limit the over-opening of permissions:

~$ docker run--cap-add NET_ADMIN --cap-add NET_RAW -d -p 4489:4489/tcp --name bbb aaa

Thank you for reading, I hope to help you, thank you for your support to this site!