From 4c517e9b08cd02a05bf82adc7be5b8ccb6c0421a Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Sun, 23 Feb 2025 12:04:37 +0000 Subject: [PATCH 1/3] Add new DOCKER-FORWARD chain to the iptables description Signed-off-by: Rob Murray --- .../engine/network/packet-filtering-firewalls.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/content/manuals/engine/network/packet-filtering-firewalls.md b/content/manuals/engine/network/packet-filtering-firewalls.md index 9e15276a38a..e85a75f19eb 100644 --- a/content/manuals/engine/network/packet-filtering-firewalls.md +++ b/content/manuals/engine/network/packet-filtering-firewalls.md @@ -32,17 +32,22 @@ following custom `iptables` chains: * `DOCKER-USER` * A placeholder for user-defined rules that will be processed before rules - in the `DOCKER` chain. + in the `DOCKER-FORWARD` and `DOCKER` chains. +* `DOCKER-FORWARD` + * The first stage of processing for Docker's networks. Rules that pass packets + that are not related to established connections to the other Docker chains, + as well as rules to accept packets that are part of established connections. * `DOCKER` * Rules that determine whether a packet that is not part of an established connection should be accepted, based on the port forwarding configuration of running containers. * `DOCKER-ISOLATION-STAGE-1` and `DOCKER-ISOLATION-STAGE-2` * Rules to isolate Docker networks from each other. +* `DOCKER-INGRESS` + * Rules related to Swarm networking. -In the `FORWARD` chain, Docker adds rules that pass packets that are not related -to established connections to these custom chains, as well as rules to accept -packets that are part of established connections. +In the `FORWARD` chain, Docker adds rules that unconditionally jump to the +`DOCKER-USER`, `DOCKER-FORWARD` and `DOCKER-INGRESS` chains. In the `nat` table, Docker creates chain `DOCKER` and adds rules to implement masquerading and port-mapping. @@ -53,6 +58,8 @@ Packets that get accepted or rejected by rules in these custom chains will not be seen by user-defined rules appended to the `FORWARD` chain. So, to add additional rules to filter these packets, use the `DOCKER-USER` chain. +Rules appended to the `FORWARD` chain will be processed after Docker's rules. + ### Match the original IP and ports for requests When packets arrive to the `DOCKER-USER` chain, they have already passed through From 6c3e9e32c3539f4743c576fe38adca016fa167bc Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Sun, 23 Feb 2025 12:32:34 +0000 Subject: [PATCH 2/3] Update notes about IP Forwarding and the default DROP policy Signed-off-by: Rob Murray --- .../network/packet-filtering-firewalls.md | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/content/manuals/engine/network/packet-filtering-firewalls.md b/content/manuals/engine/network/packet-filtering-firewalls.md index e85a75f19eb..8a57e45295c 100644 --- a/content/manuals/engine/network/packet-filtering-firewalls.md +++ b/content/manuals/engine/network/packet-filtering-firewalls.md @@ -308,16 +308,35 @@ Alternatively, you can use the `dockerd --ip` flag when starting the daemon. ## Docker on a router -Docker sets the policy for the `FORWARD` chain to `DROP`. This will prevent -your Docker host from acting as a router. +On Linux, Docker needs "IP Forwarding" enabled on the host. So, it enables +the `sysctl` settings `net.ipv4.ip_forward` and `net.ipv6.conf.all.forwarding` +it they are not already enabled when it starts. -If you want your system to function as a router, you must add explicit -`ACCEPT` rules to the `DOCKER-USER` chain. For example: +If Docker sets the policy for the `FORWARD` chain to `DROP`. This will prevent +your Docker host from acting as a router, it is the recommended setting when +IP Forwarding is enabled. + +To stop Docker from setting the `FORWARD` chain's policy to `DROP`, include +`"ip-forward-no-drop": true` in `/etc/docker/daemon.json`, or add option +`--ip-forward-no-drop` to the `dockerd` command line. + +Alternatively, you may add `ACCEPT` rules to the `DOCKER-USER` chain for the +packets you want to forward. For example: ```console $ iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT ``` +> [!WARNING] +> +> In releases older than 28.0.0, Docker always set the default policy of the +> `FORWARD` chain to `DROP`. In release 28.0.0 and newer, it will only set +> that policy if it enables IPv6 forwarding itself. This has always been the +> behaviour for IPv4 forwarding. +> +> If IPv6 forwarding is enabled on your host before Docker starts, check your +> host's configuration to make sure it is still secure. + ## Prevent Docker from manipulating iptables It is possible to set the `iptables` or `ip6tables` keys to `false` in From 69cc8ea3276a092c5dfd1050339980c68cccb021 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Sun, 23 Feb 2025 12:34:19 +0000 Subject: [PATCH 3/3] Only engine < 28.0.0 allows remote access to localhost ports Signed-off-by: Rob Murray --- .../manuals/engine/network/packet-filtering-firewalls.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/manuals/engine/network/packet-filtering-firewalls.md b/content/manuals/engine/network/packet-filtering-firewalls.md index 8a57e45295c..17670408e2b 100644 --- a/content/manuals/engine/network/packet-filtering-firewalls.md +++ b/content/manuals/engine/network/packet-filtering-firewalls.md @@ -268,9 +268,9 @@ configure the daemon to use the loopback address (`127.0.0.1`) instead. > [!WARNING] > -> Hosts within the same L2 segment (for example, hosts connected to the same -> network switch) can reach ports published to localhost. -> For more information, see +> In releases older than 28.0.0, hosts within the same L2 segment (for example, +> hosts connected to the same network switch) can reach ports published to +> localhost. For more information, see > [moby/moby#45610](https://github.com/moby/moby/issues/45610) To configure this setting for user-defined bridge networks, use