Installing iptables in docker container based on alpinelinux

Question

I am writing a dockerfile and I need IPtables to be installed in docker container. I need to add a rule to the IP table as I am trying to run on "host" network mode and it seems I need install IPtables for this purpose. when I try to include the rule as follows I get the following error.

iptables -I INPUT -p tcp -m tcp --dport 8080 -j ACCEPT


iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

Is it possible to run iptables with root privileges.

How to configure this under Compose 3 ? – Stephane Sep 22 '19 at 17:06 — Stephane, Sep 22 '19 at 17:06
just add ```cap_add: - NET_ADMIN - NET_RAW``` – zar3bski Nov 11 '19 at 11:21 — zar3bski, Nov 11 '19 at 11:21

Dmitriusan · Accepted Answer · 2017-08-08T10:37:54.903

69

--privileged flag is not required anymore. Starting with Docker 1.2 you can now run your image with parameters --cap-add=NET_ADMIN and --cap-add=NET_RAW which will allow internal iptables.

edited Aug 08 '17 at 10:37

answered Jun 13 '17 at 14:06

Dmitriusan

11,525
3
38
38

Aren't Ip tables configured at build time? In that case, those options do not work; how to do it in that case? – PptSbzzgt Mar 23 '21 at 07:46
you can define iptables rules when the container is running – Dmitriusan Apr 04 '21 at 21:21
What would NET_RAW be needed for? Doesn't NET_ADMIN suffice for many use cases? – Gasp0de Nov 08 '21 at 13:04
1

Does this allow modification of iptables within the container only? Or does it modify the hosts iptables as well? – ZaxLofful Aug 01 '22 at 03:47

score -1 · Answer 2 · answered Jan 17 '17 at 21:41

-1

Google to the rescue.

IPTables in docker

Docker runtime privilege

TLDR version:

 docker run --privileged

answered Jan 17 '17 at 21:41

user2105103

11,599
2
18
11

4

While correct, IMHO feel like this is a Bad Idea for anything approaching a production environment (or development that is internet accessible) for the same reason why you don't run services as root. OP, please be very careful. There are better ways to skin this cat, IMHO. – Nick Burke Jan 17 '17 at 21:46
2

Agreed, but I just answered the question because I hate it when people cross examine -vs- answering the question. – user2105103 Jan 17 '17 at 21:47
2

Agree with that. I don't know the circumstances that OP is up to, but figured I'd toss the warning in just in case. – Nick Burke Jan 17 '17 at 22:09
I agree with both of you that it is a bad idea to run it with --privileged but this is a special circumstance where I need to debug an issue on a developer setup. Thanks @NickBurke I tried that and it works. But I forgot to mention that I was running everything(There are a few services involved which all of them are running as docker containers) on a docker-compose and that's where I hit the issue.I tried changing the user to root but did not help. There are a lot of repetitive tasks so I really don't want to start each and every service individually. – Tharanga Jan 18 '17 at 06:47

Installing iptables in docker container based on alpinelinux

2 Answers2

Linked