The Docker daemon should be allowed to configure the firewall rules
Description
The iptables firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the iptables ruleset.
Rationale
Docker will not make changes to your system iptables rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to iptables automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating iptables every time you add containers or modify networking options.
Audit
To confirm that the Docker daemon is allowed to change the iptables ruleset, review the dockerd startup options and the settings in /etc/docker/daemon.json. To review the dockerd startup options, run:
Ensure that the --iptables parameter is either not present or not set to false. Also review the /etc/docker/daemon.json file to check that the iptables setting is not set to false.
Do not run the Docker daemon with --iptables=false parameter.
Impact
The Docker daemon service requires iptables rules to be enabled before it starts. Any restarts of iptables during Docker daemon operation may result in losing Docker-created rules. Adding iptables-persistent to your iptables install can mitigate.
Default value
By default, iptables is set to true.
References
- https://docs.docker.com/engine/userguide/networking/default_network/container-communication/
- https://fralef.me/docker-and-iptables.html
CIS controls
Version 6.5 Controlled Use of Administration Privileges
