iptables not working on macvlan traffic in container
Question
I have a host with one interface eth0 , IP 10.0.10.10/24 . I start up docker, add a container, no network. I then create a macvlan device on eth0 , give it IP 10.0.10.20/24 , and put it in the container.
Both the host and the container now have full network access.
I then create an iptables rule on the host to drop all traffic to or from the container's IP 10.0.10.20 . The rules do not work, and traffic gets through.
Of course, if I do it from within the container (either ip netns exec $PID iptables ... or by giving the container NET_ADMIN capabilities), it works.
Should the iptables rules of the underlying host not filter the traffic?
1 answers
solution1
5 ACCPTED 2016-04-06 06:04:21
The answer to this is: you cannot do it. When using the bridge, then the traffic runs into the host and out, so it hits the host's ip stack. When you use macvlan, the only ip stack is the one in the container, so the iptables rules on the host never are called.
The only way to do it is to change the iptables rules inside the container.
If you do not want to give the container access, eg if you want to control the container, then use ip netns exec ... from the host itself, which will control the iptables rules in the container without giving the container itself control.
I wrote a script that does that. It is available at https://github.com/deitch/ctables and licensed MIT.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.