add another iptables rule to allow dns queries from container #21708
Conversation
github-actions
bot
added
area/engine
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| @@ -119,6 +119,11 @@ the source and destination. For instance, if the Docker host has addresses | |||
| `2001:db8:1111::2` and `2001:db8:2222::2`, you can make rules specific to | |||
| `2001:db8:1111::2` and leave `2001:db8:2222::2` open. | |||
|
|
|||
| If your containers are also querying DNS, you should add this rule as well to allow them to work: | |||
There was a problem hiding this comment.
The suggested rule isn't specific to DNS, it accepts any incoming or outgoing packet that's part of a flow that's already been allowed by some other rule.
So, how about ...
| If your containers are also querying DNS, you should add this rule as well to allow them to work: | |
| You may need to allow responses from servers outside the permitted external address ranges. For example, containers may send DNS or HTTP requests to hosts that are not allowed to access the container's services. The following rule accepts any incoming or outgoing packet belonging to a flow that has already been accepted by other rules. It must be placed before `DROP` rules that restrict access from external address ranges. |
There was a problem hiding this comment.
Yeap, this makes much more sense :)
| ``` | ||
| $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
| ``` |
There was a problem hiding this comment.
If you're updating, can you also;
- add a newline before the code-block
- add a
consolecode-hint to make sure it's properly highlighted?
| ``` | |
| $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| ``` | |
| ```console | |
| $ iptables -I DOCKER-USER -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| ``` |
|
Thanks for the pull request. We'd like to make our product docs better, but haven’t been able to review all the suggestions. If the updates are still relevant, review our contribution guidelines and rebase your pull request against the latest version of the docs, then mark it as fresh with a Prevent pull requests from auto-closing with a /lifecycle stale |
Co-authored-by: Rob Murray <[email protected]> Co-authored-by: fliespl <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]>
|
@robmry @aevesdocker I rebased this one and applied your suggestions; PTAL |
Description
With only mentioned rule, DNS queries from containers won't work.
Reviews