I’m trying to use IPtables to block all internal traffic with the exception of one server, here are my rules but when i telnet from another instance i can still connect….
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o br-383efc983cd2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-383efc983cd2 -j DOCKER -A FORWARD -i br-383efc983cd2 ! -o br-383efc983cd2 -j ACCEPT -A FORWARD -i br-383efc983cd2 -o br-383efc983cd2 -j ACCEPT -A DOCKER -d 172.18.0.3/32 ! -i br-383efc983cd2 -o br-383efc983cd2 -p tcp -m tcp --dport 1080 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-383efc983cd2 ! -o br-383efc983cd2 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-383efc983cd2 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -s 10.0.1.253/32 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A DOCKER-USER -m state --state ESTABLISHED -j ACCEPT -A DOCKER-USER -i eth1 -j REJECT --reject-with icmp-port-unreachable -A DOCKER-USER -j RETURN
Advertisement
Answer
When debugging iptables I normally:
- reset all the counter – ‘iptables -Z’
- make the connection
- then review the rule hits – ‘iptables -L -v -n |more’
This should give you some pointers as to which rule is passing the connection