I am trying to run a private docker registry on my CentOS 7 VPS which is running httpd apache and iptables.

When I start the container, docker run -it -p 5017:5000 --name registry registry, I try to run curl http://localhost:5017/v2 and I get the following error after 5ish minutes (no other output before):

curl: (56) Recv failure: Connection reset by peer

I figured out that if I disable my iptables, I can connect to my docker container just fine. I was looking at my iptable rules and noticed that if I comment out one of them, everything works fine. The rule I comment out is -A OUTPUT -j DROP. But I really don't want to allow all outgoing traffic. Is that okay? Or is there a specific port I have to open?

I tried adding all of the following rules and none of them helped.

-A INPUT -p tcp --dport 5000 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5000 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 5017 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 5017 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 5000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5000 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5000 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 5017 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5017 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5017 -j ACCEPT
  • 101
  • 3

1 Answers1


Dropping all traffic in the OUTPUT rule is going to prevent you from reaching any containers on your host: from the perspective of your system, a container has an address "somewhere else on the network" just like anything reachable via your ethernet or wifi connection.

If you want to block "all traffic going out your primary interface", you can write something like:

iptables -A OUTPUT -o eth0 -j DROP

This would only impact traffic exiting on eth0 (but since this would prevent things like DNS from working it's likely you're going to want a more nuanced ruleset).

  • 41,276
  • 13
  • 117
  • 170