Docker + Iptables: Caveats to be aware of

Speaker:

Michael Ziegler

Scheduled time: Sunday, 11:00 , Room V4

If you're running Docker on an internet-facing server, you probably already discovered that when it comes to exposing a port, Docker really means it and actually bypasses most iptables-based firewalls. That means that your shiny new MongoDB container that you wanted to expose only to your host is actually exposed to the whole wide world. This might come as a surprise.

Docker itself offers very limited options to narrow this access down. But if your firewall knows about Docker and attaches to it just right, you can get it to work and gain back your security. I'm going to show specifically how that can be done, using MicroFW as an example, but explaining the underlying concepts so that you can write your own iptables rules and be sure they apply.

Website: https://github.com/Svedrin/microfw

Desired previous knowledge: Basic knowledge about iptables rules would be helpful.