Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add another iptables rule to allow dns queries from container #21708

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+5 −0
Open

add another iptables rule to allow dns queries from container #21708

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
add another iptables rule to allow dns queries from container
  • Loading branch information
@fliespl
fliespl authored Jan 1, 2025
commit 1a24ad0e75ee1922c44a84a5173703a9df56cdb0
5 changes: 5 additions & 0 deletions content/manuals/engine/network/packet-filtering-firewalls.md
View file
Original file line number Diff line number Diff line change
@@ -119,6 +119,11 @@ the source and destination. For instance, if the Docker host has addresses
`2001:db8:1111::2` and `2001:db8:2222::2`, you can make rules specific to
`2001:db8:1111::2` and leave `2001:db8:2222::2` open.

If your containers are also querying DNS, you should add this rule as well to allow them to work:
Copy link
Contributor

@robmry robmry Jan 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The suggested rule isn't specific to DNS, it accepts any incoming or outgoing packet that's part of a flow that's already been allowed by some other rule.

So, how about ...

Suggested change
If your containers are also querying DNS, you should add this rule as well to allow them to work:
You may need to allow responses from servers outside the permitted external address ranges. For example, containers may send DNS or HTTP requests to hosts that are not allowed to access the container's services. The following rule accepts any incoming or outgoing packet belonging to a flow that has already been accepted by other rules. It must be placed before `DROP` rules that restrict access from external address ranges.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeap, this makes much more sense :)

```
$ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
```
Comment on lines +123 to +125
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you're updating, can you also;

  • add a newline before the code-block
  • add a console code-hint to make sure it's properly highlighted?
Suggested change
```
$ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
```
```console
$ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT
```


`iptables` is complicated. There is a lot more information at [Netfilter.org HOWTO](https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html).

### Direct routing