Details
Iptables are used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Allow the Docker daemon to make changes to the iptables.
Rationale:
Docker will never make changes to your system iptables rules if you choose to do so. Docker server would automatically make the needed changes to iptables based on how you choose your networking options for the containers if it is allowed to do so. It is recommended to let Docker server make changes to iptablesautomatically to avoid networking misconfiguration that might hamper the communication between containers and to the outside world. Additionally, it would save you hassles of updating iptablesevery time you choose to run the containers or modify networking options.
Solution
Do not run the Docker daemon with –iptables=false parameter. For example, do not start the Docker daemon as below:
dockerd –iptables=false
Impact:
Docker daemon service start requires iptables rules to be enabled before it starts. Any restarts of iptables during docker daemon operation may result in losing docker-created rules. Adding iptables-persistent to your iptables install can assist with mitigating this impact.
Default Value:
By default, iptables is set to true.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.