Changes

Docker

546 bytes added, 09:01, 23 June 2018

no edit summary

:[[File:ClipCapIt-180623-010335.PNG|800px]]

* -o, --out-interface name

* -i, --input-interface name

* -s, source IP address

* -d, destination IP address

* -p, Sets the IP protocol for the rule

* -j, jump to the given target/chain

DNS and DCHP packages from the Virtual Bridges are allowed to be sent to the host machine.

</pre>

The virbrDocker bridge can send packages anywhere (first line) and can receive packages back if the connections was previously already established (second line)<br>

<pre>

~~-A FORWARD -i virbr1 -o virbr1 -j ACCEPT~~

~~-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable~~

~~-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable~~

-A FORWARD -d 192.168.123.0/24 -o virbrDocker -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 192.168.123.0/24 -i virbrDocker -j ACCEPT

</pre>

The bridges can send packages to themselves, otherwise everything is rejected that was sent or form the bridges

<pre>

-A FORWARD -i virbrDocker -o virbrDocker -j ACCEPT

-A FORWARD -i virbr1 -o virbr1 -j ACCEPT

#If not accepted above, we reject everything from the two bridges

-A FORWARD -o virbrDocker -j REJECT --reject-with icmp-port-unreachable

-A FORWARD -i virbrDocker -j REJECT --reject-with icmp-port-unreachable

-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable

-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable

</pre>

Adam

Bureaucrat, administrator

7,540

edits

Changes

Docker

berki WIKI