I have a docker container which needs to add some iptables rules into the host. From searching, it seems like this is supposed to work either in privileged mode or by adding CAP_NET_ADMIN and CAP_NET_RAW and in host networking mode.
However, I tried both of these and no matter what I do the docker container seems to have it's own set of iptables rules. Here's an example:
on the host machine iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
# Warning: iptables-legacy tables present, use iptables-legacy to see them
(note that I ran docker with iptables set to false to try to debug this so it's a minimal set of rules, that setting doesn't seem to make a difference)
Next in an Ubuntu container: docker run -it --privileged --net=host ubuntu:18.04 /bin/bash same command (iptables -L)
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
so it's a totally different filter table, like it has it's own copy. Similar behavior for other tables and I've confirmed that adding rules in the container does not add them on the host even though the container is privileged and in host networking mode.
The host is a raspberry pi running Raspbian buster. Is there something else I need to do to make this work?
I should have thought of this earlier but I checked the raspbian kernel version and it was 4.19.something which is ancient at this point. So I re-installed with Ubuntu 20.04 server (which provides an arm64 distribution for the raspberry pi) and it seem to work as expected now. So likely it was something to do with the out-of-date kernel.