Manage iptables firewall for Docker/Kubernetes

This article describes my experiences to apply iptables firewall for Docker/Kubernetes hosts.

My solution is based on this article so it’s not a new idea. But I write it down as I still see comments here and there about the troubles in making iptables playing well with Docker.

When moving my most workload into Kubernetes clusters, I found the same solution applies very well as the host level firewall to block undesired access.

Traditional iptables firewall

iptables is a command line tool to config Linux’s packet filtering rule set. One of the usages is to create host level firewall to block unwanted network traffic and allow desired traffic. In this case, the rules focus on the INPUT chain to allow/deny traffic from the external.

NOTE: All examples below are examples ONLY. Don’t use them as real firewall rules.

The firewall could be a serials of commands like, referred from here:

# Allow something
iptables -A INPUT  -p tcp -m multiport --dports 22,80,443 -j ACCEPT
# Deny something
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

iptables rules are in memory only and won’t survive reboot. To preserve the firewall rules there is a tool to save/restore(iptables-save/iptables-restore) the rules to a file and a service(iptables-persistent on Debian/Ubuntu) to automatically save/restore the rules.