Docker + Iptables: Caveats to be aware of


Michael Ziegler

Termin: Sonntag, 11:00 , Raum V4

If you're running Docker on an internet-facing server, you probably already discovered that when it comes to exposing a port, Docker really means it and actually bypasses most iptables-based firewalls. That means that your shiny new MongoDB container that you wanted to expose only to your host is actually exposed to the whole wide world. This might come as a surprise.

Docker itself offers very limited options to narrow this access down. But if your firewall knows about Docker and attaches to it just right, you can get it to work and gain back your security. I'm going to show specifically how that can be done, using MicroFW as an example, but explaining the underlying concepts so that you can write your own iptables rules and be sure they apply.


Erwünschte Vorkenntnisse: Basic knowledge about iptables rules would be helpful.