Docker - modifying IPTABLES for host from container
Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).
If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host
option to docker run
. From the docker-run(1)
man page:
--net="bridge" Set the Network mode for the container 'bridge': creates a new network stack for the container on the docker bridge 'none': no networking for this container 'container:': reuses another container network stack 'host': use the host network stack inside the container. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.
You will need to run with both --privileged
and --net=host
.
--privileged
flag is not required anymore. Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN
and --cap-add=NET_RAW
which will allow internal iptables.
It might be also worth noticing that in official Ubuntu images from Docker Hub iptables
package is not installed.So general instruction should be
apt-get install iptables
- run docker container with
--net=host
and--cap-add=NET_ADMIN
--cap-add=NET_RAW
options.
Also, if you have a docker image that is missing iptables
package, and you don't want to create a custom image from it, you may run container with iptables
in the same network space. E.g. if you have container container-without-iptables
running, and you want to start some container-with-iptables
in the same network namespace, you can do:
docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables