Skip to content

Instantly share code, notes, and snippets.

@antwal

antwal/iptables-docker-bridge.sh

Last active December 9, 2023 11:50
Show Gist options
  • Save antwal/d78ec555a431c93681a035b13b5e06e9 to your computer and use it in GitHub Desktop.
Save antwal/d78ec555a431c93681a035b13b5e06e9 to your computer and use it in GitHub Desktop.
Download ZIP
Allow forward to Docker Network Bridge (Debian 11/12)
Raw
readme.md

Create Docker Network

docker network create --driver bridge container-net

Network Example

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eno1
iface eno1 inet dhcp
post-up /etc/iptables-docker-bridge.sh

File permissions

chmod a+x /etc/iptables-docker-bridge.sh

Check rules

iptables -L FORWARD -v -n

Default Docker Rules:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
43060   26M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
43060   26M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
26303   23M ACCEPT     0    --  *      br-caed2ff56793  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  130 49312 DOCKER     0    --  *      br-caed2ff56793  0.0.0.0/0            0.0.0.0/0           
16627 2975K ACCEPT     0    --  br-caed2ff56793 !br-caed2ff56793  0.0.0.0/0            0.0.0.0/0           
  129 49264 ACCEPT     0    --  br-caed2ff56793 br-caed2ff56793  0.0.0.0/0            0.0.0.0/0

Added Docker Rules:

    0     0 ACCEPT     0    --  br-caed2ff56793 eno1    0.0.0.0/0            0.0.0.0/0           
  109  7000 ACCEPT     0    --  eno1   br-caed2ff56793  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  eno1   br-caed2ff56793  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
Raw
iptables-docker-bridge.sh
#!/bin/bash
IPT="/sbin/iptables"
DOCKER="/usr/bin/docker"
NETWORK_NAME="container-net"
[ "$IFACE" = "eno1" ] || exit 0 # we only want interface "eno1"
echo -n "Checking docker..."
! [ -f $DOCKER ] && echo "Docker is not installed." && exit 0
echo -n "Check docker bridge..."
NETWORK_ID=$(docker network inspect -f {{.Id}} $NETWORK_NAME)
[ -z "$NETWORK_ID" ] && echo -n "Docker Container Bridge not is valid" && exit 0
NETWORK_BRIDGE="br-${NETWORK_ID:0:12}"
echo -n "Loading docker bridge iptables rules..."
$IPT -A FORWARD -i $NETWORK_BRIDGE -o $IFACE -j ACCEPT
$IPT -A FORWARD -i $IFACE -o $NETWORK_BRIDGE -j ACCEPT
$IPT -A FORWARD -i $IFACE -o $NETWORK_BRIDGE -m state --state "RELATED,ESTABLISHED" -j ACCEPT
echo -n "Docker bridge rules loaded."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment