Skip to content

add another iptables rule to allow dns queries from container #21708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 6, 2025
Merged

add another iptables rule to allow dns queries from container #21708

merged 1 commit into from
May 6, 2025

Conversation

@fliespl
Copy link
Contributor

@fliespl fliespl commented Jan 1, 2025

Description

With only mentioned rule, DNS queries from containers won't work.

Reviews

  • Technical review
  • Editorial review
  • Product review

@fliespl fliespl requested a review from dvdksn as a code owner January 1, 2025 19:51
@github-actions github-actions bot added area/engine Issue affects Docker engine/daemon area/networking Relates to anything around networking labels Jan 1, 2025
@netlify
Copy link

netlify bot commented Jan 1, 2025
edited
Loading

Deploy Preview for docsdocker ready!

Name Link
🔨 Latest commit 043dabd
🔍 Latest deploy log https://app.netlify.com/sites/docsdocker/deploys/6819e5309145450008df66fe
😎 Deploy Preview https://deploy-preview-21708--docsdocker.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

robmry
robmry suggested changes Jan 2, 2025
View reviewed changes
Copy link
Contributor

@robmry robmry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @fliespl ... a hint like this to go along with the existing examples looks useful, without taking us too far down the path of providing general iptables documentation.

content/manuals/engine/network/packet-filtering-firewalls.md Outdated
`2001:db8:1111::2` and `2001:db8:2222::2`, you can make rules specific to
`2001:db8:1111::2` and leave `2001:db8:2222::2` open.

If your containers are also querying DNS, you should add this rule as well to allow them to work:
Copy link
Contributor

@robmry robmry Jan 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggested rule isn't specific to DNS, it accepts any incoming or outgoing packet that's part of a flow that's already been allowed by some other rule.

So, how about ...

Suggested change
If your containers are also querying DNS, you should add this rule as well to allow them to work:
You may need to allow responses from servers outside the permitted external address ranges. For example, containers may send DNS or HTTP requests to hosts that are not allowed to access the container's services. The following rule accepts any incoming or outgoing packet belonging to a flow that has already been accepted by other rules. It must be placed before `DROP` rules that restrict access from external address ranges.

Copy link
Contributor Author

@fliespl fliespl Jan 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeap, this makes much more sense :)

thaJeztah
thaJeztah reviewed Jan 2, 2025
View reviewed changes
content/manuals/engine/network/packet-filtering-firewalls.md Outdated
Comment on lines 123 to 138
```
$ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
```
Copy link
Member

@thaJeztah thaJeztah Jan 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're updating, can you also;

  • add a newline before the code-block
  • add a console code-hint to make sure it's properly highlighted?
Suggested change
```
$ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
```
```console
$ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
```

@thaJeztah thaJeztah self-assigned this Feb 5, 2025
@docker-robot
Copy link

docker-robot bot commented May 6, 2025

Thanks for the pull request. We'd like to make our product docs better, but haven’t been able to review all the suggestions.
As our docs have also diverged, we do not have the bandwidth to review and rebase old pull requests.

If the updates are still relevant, review our contribution guidelines and rebase your pull request against the latest version of the docs, then mark it as fresh with a /remove-lifecycle stale comment.
If not, this pull request will be closed in 30 days. This helps our maintainers focus on the active pull requests.

Prevent pull requests from auto-closing with a /lifecycle frozen comment.

/lifecycle stale

@fliespl @robmry @thaJeztah
add another iptables rule to allow dns queries from container
043dabd 
Co-authored-by: Rob Murray <rob.murray@docker.com>
Co-authored-by: fliespl <a.rzadkowolski@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah requested a review from aevesdocker as a code owner May 6, 2025 10:32
@thaJeztah
Copy link
Member

thaJeztah commented May 6, 2025

@robmry @aevesdocker I rebased this one and applied your suggestions; PTAL

robmry
robmry approved these changes May 6, 2025
View reviewed changes
Copy link
Contributor

@robmry robmry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thank you.

thaJeztah
thaJeztah approved these changes May 6, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah thaJeztah merged commit a3501cd into docker:main May 6, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@dvdksn dvdksn Awaiting requested review from dvdksn dvdksn is a code owner

@akerouanton akerouanton Awaiting requested review from akerouanton

@aevesdocker aevesdocker Awaiting requested review from aevesdocker

+1 more reviewer

@robmry robmry robmry approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@thaJeztah thaJeztah

Labels

area/engine Issue affects Docker engine/daemon area/networking Relates to anything around networking

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fliespl @thaJeztah @robmry