| 92 | ##### Firewalling ##### |
| 93 | |
| 94 | 1. [https://github.com/docker/docker/issues/22054 Docker Engine daemon modifies iptables to bypass firewall rules for mapped ports by default!] |
| 95 | |
| 96 | 2. [https://github.com/docker/docker/issues/14041 Docker Engine daemon enabled kernel IP forwarding without adding any restricting rules on what inbound IP packets are being forwarded!] |
| 97 | |
| 98 | Possible solution to second issue, using script: |
| 99 | |
| 100 | {{{#!sh |
| 101 | |
| 102 | EXT_IF=$( ip r s 0.0.0.0/0 | cut -f5 -d" " ) |
| 103 | EXT_IPV4=$( ip a s dev ${EXT_IF} | grep "inet " | awk '{print $2}' | sed 's/\/.*//' ) |
| 104 | |
| 105 | iptables -t mangle -I PREROUTING 1 -i $EXT_IF ! -d $EXT_IPV4 -j DROP |
| 106 | }}} |
| 107 | |