Docker - modifying IPTABLES for host from container

Maciej Krajewski picture Maciej Krajewski · May 11, 2015 · Viewed 9.1k times · Source

I want to run a docker container with central log and fail2ban service to prevent from dos/ddos attacks.

I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.

There is a project ianblenke/docker-fail2ban however it does not work...

Giving the container flag privileged only allows me to control iptables on this container. Is there any way to control hosts iptables through container?

Regards.

Answer

larsks picture larsks · May 11, 2015

Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).

If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host option to docker run. From the docker-run(1) man page:

--net="bridge"
   Set the Network mode for the container
       'bridge': creates a new network stack for the container on the docker bridge
       'none': no networking for this container
       'container:': reuses another container network stack
       'host':  use  the host network stack inside the container.
       Note: the host mode gives the container full access to
       local system services such as D-bus and is therefore
       considered insecure.

You will need to run with both --privileged and --net=host.