Why does docker use PREROUTING?

[stresler]

By using a PREROUTING rule in iptables to send all traffic to the DOCKER chain this effectively eliminates the INPUT chain and a lot of default bahvaviour. This has negative affects for people running more than just docker on a machine.

Would INPUT be a better place to add a rule, then allowing users to construct their own policies as long as traffic lands in the DOCKER chain eventually.

This would be less fool-proof, but could be compensated for by parsing the rules and providing adequate messaging if a user is accidentally bypassing the DOCKER chain.

I've removed the PREROUTING rule and added it back to the INPUT chain and on a test instance and am not seeing any negative consequences. I do want to know if what the underlying logic is here.

There are some pretty severe limitations to the doc's recommendation: "Docker’s forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, to restrict external access such that only source IP 8.8.8.8 can access the containers, the following rule could be added:"

For example, what if someone wants to lock down access to one of 2 IP's?

This also prevents adding system wide rules like restricting SSH to a list of ips.

[GordonTheTurtle]

Hi!

Please read this important information about creating issues.

If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.

If you suspect your issue is a bug, please edit your issue description to include the BUG REPORT INFORMATION shown below. If you fail to provide this information within 7 days, we cannot debug your issue and will close it. We will, however, reopen it if you later provide the information.

This is an automated, informational response.

Thank you.

For more information about reporting issues, see https://github.com/docker/docker/blob/master/CONTRIBUTING.md#reporting-other-issues

---

BUG REPORT INFORMATION

Use the commands below to provide key information from your environment:

docker version:
docker info:
uname -a:

Provide additional environment details (AWS, VirtualBox, physical, etc.):

List the steps to reproduce the issue:
1.
2.
3.

Describe the results you received:

Describe the results you expected:

Provide additional info you think is important:

----------END REPORT ---------

#ENEEDMOREINFO

[phemmer]

You can't use DNAT rules from the INPUT chain on the nat table. DNAT is only valid on PREROUTING and OUTPUT.

Edit: Oh, and

For example, what if someone wants to lock down access to one of 2 IP's?

I agree, this is an issue, but the global allow isn't the issue. The issue is that docker adds rules to the top of the chain. It should append instead. Then you could add your own rules to the FORWARD chain on the filter table.
This has been brought up numerous times, but unfortunately has never changed.

[stresler]

Ok, I think I was misreading what was going on in those tables. Closing this for now, but might re-open if I come up with a better solution.