My brain-dump of random code/configuration.

01 Nov 2014

Ferm Rules for Docker

The Docker daemon add his own custom rules by default to iptables. If you use ferm to manage your iptables rules, it is a good idea to prepopulate rules for docker. Otherwise they will be overwritten by ferm as it restarts.

To do so add the following lines at the top of your ferm.conf:

domain ip {
    table filter chain FORWARD {
        outerface docker0 mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
        interface docker0 outerface !docker0 ACCEPT;
        interface docker0 outerface docker0 ACCEPT;
    table nat {
        chain DOCKER;
        chain PREROUTING {
           mod addrtype dst-type LOCAL jump DOCKER;
        chain OUTPUT {
           daddr ! mod addrtype dst-type LOCAL jump DOCKER;

        chain POSTROUTING {
           saddr outerface !docker0 MASQUERADE;

In my case docker’s subnet is and uses docker0 as bridge device.

comments powered by Disqus