I'm using Rancher to manage a set of Docker containers. I'm trying to secure these containers with iptables, and have got as far as completely blocking all access to it and now have been unable to make it further than that.
I want to allow a specific IP address (or addresses) access to a specific port (port 8080 of the Docker container is being forwarded to 13001 on the host using Rancher's DNS).
Here's my iptables export:
# Generated by iptables-save v1.4.21 on Mon Aug 17 16:36:06 2015
*mangle
:PREROUTING ACCEPT [8912986:4655287801]
:INPUT ACCEPT [7350962:3834040196]
:FORWARD ACCEPT [1407346:804903486]
:OUTPUT ACCEPT [7683306:4623499864]
:POSTROUTING ACCEPT [9089180:5428319626]
COMMIT
# Completed on Mon Aug 17 16:36:06 2015
# Generated by iptables-save v1.4.21 on Mon Aug 17 16:36:06 2015
*nat
:PREROUTING ACCEPT [16244:1006045]
:INPUT ACCEPT [340:15612]
:OUTPUT ACCEPT [1575:218761]
:POSTROUTING ACCEPT [1657:223961]
:CATTLE_POSTROUTING - [0:0]
:CATTLE_PREROUTING - [0:0]
:DOCKER - [0:0]
-A PREROUTING -j CATTLE_PREROUTING
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -j CATTLE_POSTROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p udp -m udp --dport 4500 -j MASQUERADE
-A POSTROUTING -s 172.17.0.1/32 -d 172.17.0.1/32 -p udp -m udp --dport 500 -j MASQUERADE
-A CATTLE_POSTROUTING -s 10.42.0.0/16 -d 169.254.169.250/32 -j ACCEPT
-A CATTLE_POSTROUTING -s 10.42.0.0/16 ! -d 10.42.0.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535
-A CATTLE_POSTROUTING -s 10.42.0.0/16 ! -d 10.42.0.0/16 -p udp -j MASQUERADE --to-ports 1024-65535
-A CATTLE_POSTROUTING -s 10.42.0.0/16 ! -d 10.42.0.0/16 -j MASQUERADE
-A CATTLE_POSTROUTING -s 172.17.0.0/16 ! -o docker0 -p tcp -j MASQUERADE --to-ports 1024-65535
-A CATTLE_POSTROUTING -s 172.17.0.0/16 ! -o docker0 -p udp -j MASQUERADE --to-ports 1024-65535
-A CATTLE_PREROUTING -p udp -m addrtype --dst-type LOCAL -m udp --dport 4500 -j DNAT --to-destination 10.42.125.17:4500
-A CATTLE_PREROUTING -p udp -m addrtype --dst-type LOCAL -m udp --dport 500 -j DNAT --to-destination 10.42.125.17:500
-A CATTLE_PREROUTING -p tcp -m addrtype --dst-type LOCAL -m tcp --dport 13001 -j DNAT --to-destination 10.42.165.214:8080
-A CATTLE_PREROUTING -p tcp -m addrtype --dst-type LOCAL -m tcp --dport 50001 -j DNAT --to-destination 10.42.165.214:50001
-A DOCKER ! -i docker0 -p udp -m udp --dport 4500 -j DNAT --to-destination 172.17.0.1:4500
-A DOCKER ! -i docker0 -p udp -m udp --dport 500 -j DNAT --to-destination 172.17.0.1:500
COMMIT
# Completed on Mon Aug 17 16:36:06 2015
# Generated by iptables-save v1.4.21 on Mon Aug 17 16:36:06 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [186:18560]
:DOCKER - [0:0]
:LOGGING - [0:0]
:LOGGING_FORWARD - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30033 -j ACCEPT
-A INPUT -p udp -m udp --dport 9987 -j ACCEPT
-A INPUT -j LOGGING
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j LOGGING_FORWARD
-A FORWARD -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.1/32 ! -i docker0 -o docker0 -p udp -m udp --dport 4500 -j ACCEPT
-A DOCKER -d 172.17.0.1/32 ! -i docker0 -o docker0 -p udp -m udp --dport 500 -j ACCEPT
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING_FORWARD -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped-Forward: "
-A LOGGING_FORWARD -j DROP
COMMIT
# Completed on Mon Aug 17 16:36:06 2015