Docker - modifying IPTABLES for host from container

Docker containers, by default, run inside an isolated network namespace where they do not have access to the host network configuration (including iptables).

If you want your container to be able to modify the network configuration of the host, you need to pass the --net=host option to docker run. From the docker-run(1) man page:

--net="bridge"   Set the Network mode for the container       'bridge': creates a new network stack for the container on the docker bridge       'none': no networking for this container       'container:': reuses another container network stack       'host':  use  the host network stack inside the container.       Note: the host mode gives the container full access to       local system services such as D-bus and is therefore       considered insecure.

You will need to run with both --privileged and --net=host.

--privileged flag is not required anymore. Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW which will allow internal iptables.

It might be also worth noticing that in official Ubuntu images from Docker Hub iptables package is not installed.So general instruction should be

• apt-get install iptables
• run docker container with --net=host and --cap-add=NET_ADMIN --cap-add=NET_RAW options.

Also, if you have a docker image that is missing iptables package, and you don't want to create a custom image from it, you may run container with iptables in the same network space. E.g. if you have container container-without-iptables running, and you want to start some container-with-iptables in the same network namespace, you can do:

docker run -it --pid=container:container-without-iptables --net=container:container-without-iptables --cap-add sys_admin container-with-iptables