What iptable rules do I need in order to allow a docker network to connect to a host port?

Question

Solved: see my comment.

I've read through, How to access host port from docker container which suggests adding the iptable rules of iptables -A INPUT -i docker0 -j ACCEPT, however I'd like to only allow this on a specific port.

I've got the following iptable rules:

-A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j DROP

So the intention is to only allow connection from the localhost or docker containers, and not allow external connections to port 3000.

I have tried: -A INPUT -p tcp -m tcp -i docker0 --dport 3000 -j ACCEPT, however this does not allow access from the container when checking with telnet 172.17.0.1 3000.

How can I now allow docker to access this port on localhost (the host)?

Answer 1

How can I now allow docker to access this port on localhost (the host)?

You can't if you want the container to have it's own networking namespace. Separate network namespaces each have their own namespaced loopback interface (127.0.0.1) that is distinct from the host and other containers.

When the container tries to talk to an application on the host, it will need to connect to one of the routeable IP's of the host. So you'll need iptables rules that allow traffic from the docker0 interface to talk to your other interfaces, and the application needs to talk to the host interface, not 127.0.0.1.

Or you can skip the network namespacing, attach the docker container directly to the host's networking namespace with --net host. That removes a layer of container isolation, and doesn't allow you to use docker networking to talk to other containers. But it does allow you to talk directly to 127.0.0.1 inside the container and have that reference the same loopback interface on the host.