List IP tables in Docker Container
Capabilities
If you want have iptables access within your containers, you need to enable specific capabilities via the --cap-add=NET_ADMIN switch when running the container initially.
Example
$ docker run --cap-add=NET_ADMIN -it ubuntu:16.04
Then in the container set up iptables & sudo:
# apt update -y
# apt-get install iptables sudo -y
Then inside the container, set up a user, user1, and added it to the sudo group:
# adduser user1
# adduser user1 sudo
Then set user to user1:
# su - user1
Check user1's sudo permissions:
$ sudo -l
[sudo] password for user1:
Matching Defaults entries for user1 on 1356bf8bd61a:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User user1 may run the following commands on 1356bf8bd61a:
(ALL : ALL) ALL
Check if they can access iptables via sudo:
$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
References
- How to start “ubuntu” docker container
- Docker run reference
- How can I add a new user as sudoer using the command line?
- How to disable requiretty for a single command in sudoers?
Related videos on Youtube
06 : 25
19 : 46
06 : 17
22 : 41
02 : 28
northsideknight
Updated on September 18, 2022Comments
-
northsideknight over 1 year
I want to run the
iptablescommand in a Ubuntu 16.04 Docker container. I have created a user, given that user root permissions, added them to thesudogroup, but I am still being told that I am not runningiptablesas root.$ groups stack root sudo $ sudo whoami root $ sudo iptables --list iptables v1.6.0: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded.In my
/etc/sudoersfile I have the line:%sudo ALL=(ALL:ALL) ALL, which I believe should allow any user in thesudogroup (which I am) to run any command, but I still get the permission denied error.How would I successfully run the
iptablescommand as this user?Please note I am doing this in a Docker container with image:
ubuntu:16.04 -
northsideknight almost 6 yearsThat worked! Thanks for the detailed answer! Alternatively, I also found that using the
--privilegedflag works as well -
Stephane over 4 yearsHow would you do it in Compose 3 ? The doc says the cap_add: option is ignored docs.docker.com/compose/compose-file -
Adan Rehtla about 4 yearsThecap_addandcap_dropoptions are ignored when deploying a stack in swarm mode