Home > Back-end >  Manage host iptables from docker container
Manage host iptables from docker container

Time:10-18

I want to be able to see host iptables from inside a docker container. Not necessarily manage it, maybe a read-only iptables would be enough. I already gave --cap-add=NET_ADMIN and network mode is set to host, but still iptables is showing empty from inside container. More precisely, it seems to be a different iptables namespace or something like that. I'm able to add new rules from container's inside but that has no effect on host iptables, of course.

root@host:~# iptables -xnvL OUTPUT 
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain OUTPUT (policy ACCEPT 1104394 packets, 407916631 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
   16498  3125381            all  --  *      *       8.8.8.8         0.0.0.0/0           
  107211 59743643            all  --  *      *       192.168.0.1          0.0.0.0/0           

root@host:~# docker exec ct_monitor_1 iptables -xnvL OUTPUT
Chain OUTPUT (policy ACCEPT 33081662 packets, 12617923760 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
  206142 41989385            all  --  *      *       1.1.1.1         0.0.0.0/0           
 3686279 1919571839            all  --  *      *       172.0.0.1          0.0.0.0/0

(rules are fake, just to show that containers has different iptables)

Thanks!

UPDATE

I noticed that the problem happens in host with Ubuntu 22.04 and docker container ubuntu <=20.04.

To clarify, I'm giving more context.

Host:

root@host:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy

root@zitz:~# iptables -nvL OUTPUT
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain OUTPUT (policy ACCEPT 437K packets, 229M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 285K  142M            all  --  *      *       8.8.8.8         0.0.0.0/0           
 120K   83M            all  --  *      *       192.168.0.1          0.0.0.0/0

Working example, notice that im using ubuntu:jammy-20221003

root@zitz:~# docker run --rm -it --network=host --cap-add=NET_ADMIN ubuntu:jammy-20221003 bash
root@zitz:/# apt -qq -y update && apt install -qq -y iptables
root@zitz:/# iptables -nvL OUTPUT
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain OUTPUT (policy ACCEPT 436K packets, 229M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 285K  142M            all  --  *      *       8.8.8.8         0.0.0.0/0           
 120K   82M            all  --  *      *       192.168.0.1          0.0.0.0/0

Non-working example, i'm using any version of ubuntu lower or equal to 20.04

root@zitz:~# docker run --rm -it --network=host --cap-add=NET_ADMIN ubuntu:focal bash
root@zitz:/# apt -qq update && apt install -y -qqq iptables
.
.
.
root@zitz:/# iptables -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 148K packets, 53M bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables is "empty" in those cases

Update 2

I think that my problem is related to this: https://serverfault.com/questions/1097499/warning-iptables-legacy-tables-present-use-iptables-legacy-save-to-see-them

CodePudding user response:

--network=host is all you need. If you use --network=host, all network interfaces, including all the iptables is shared.

The difference, as you found out, is in user-space. Your host system is using nftables, not iptables.

Page link:https//www.codepudding.com/Backend/578997.html

Prev:Pushing docker image to gitlab fails: unauthorized
Next:Change dtype of column from object to datetime64
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding