The minimum permission to open iptables in the Docker container
- 2020-06-03 08:50:06
- OfStack
The minimum permission to open iptables in the Docker container
Dcoker containers sometimes need to be started using iptables in the container. By default, docker run is started in a normal way without permission to use iptables. So how can you use iptables in the container? How do I turn permissions on?
So how do you configure the permissions for this container when docker does run? The main use of --privileged or -- cap-ES17en, -- cap-ES19en to open or limit the capacity of the container itself. Examples are given below to illustrate:
Such as:
One image for aaa will start as the container named bbb and needs to use iptables function in the container. It can be opened by using --privileged=true, for example:
~$ docker run --privileged=true -d -p 4489:4489/tcp --name bbb aaa
After executing the above commands, you can enter the container to configure iptables:
~$ docker exec -it cg_openvpn /bin/bash
~ #iptables -A INPUT -s 192.168.1.156 -j DROP
/# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.1.156 0.0.0.0/0
But this opens up all the capabilities of the system to the docker container, which is a very insecure approach to the host, for example, to operate directly on devices in the host. If the permissions required by iptables are open, and other permissions are not, the following command parameters are used to start docker to limit the over-opening of permissions:
~$ docker run--cap-add NET_ADMIN --cap-add NET_RAW -d -p 4489:4489/tcp --name bbb aaa
Thank you for reading, I hope to help you, thank you for your support to this site!