add another iptables rule to allow dns queries from container #21708
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
area/engine
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
robmry
suggested changes
Jan 2, 2025
| @@ -119,6 +119,11 @@ the source and destination. For instance, if the Docker host has addresses | |||
| `2001:db8:1111::2` and `2001:db8:2222::2`, you can make rules specific to | |||
| `2001:db8:1111::2` and leave `2001:db8:2222::2` open. | |||
|
|
|||
| If your containers are also querying DNS, you should add this rule as well to allow them to work: | |||
There was a problem hiding this comment.
The suggested rule isn't specific to DNS, it accepts any incoming or outgoing packet that's part of a flow that's already been allowed by some other rule.
So, how about ...
Suggested change
| If your containers are also querying DNS, you should add this rule as well to allow them to work: | |
| You may need to allow responses from servers outside the permitted external address ranges. For example, containers may send DNS or HTTP requests to hosts that are not allowed to access the container's services. The following rule accepts any incoming or outgoing packet belonging to a flow that has already been accepted by other rules. It must be placed before `DROP` rules that restrict access from external address ranges. |
There was a problem hiding this comment.
Yeap, this makes much more sense :)
thaJeztah
reviewed
Jan 2, 2025
Comment on lines
+123
to
+125
| ``` | ||
| $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| ``` |
There was a problem hiding this comment.
If you're updating, can you also;
- add a newline before the code-block
- add a
consolecode-hint to make sure it's properly highlighted?
Suggested change
| ``` | |
| $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| ``` | |
| ```console | |
| $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| ``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
With only mentioned rule, DNS queries from containers won't work.
Reviews