2.4 Ensure Docker is allowed to make changes to iptables - daemon.json

Information

The iptables firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the iptables ruleset.

Rationale:

Docker will never make changes to your system iptables rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. We recommended letting Docker make changes to iptables automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating iptables every time you add containers or modify networking options.

Impact:

The Docker daemon service requires iptables rules to be enabled before it starts. Any restarts of iptables during Docker daemon operation may result in losing Docker created rules. Adding iptables-persistent to your iptables install can assist with mitigation of this impact.

Solution

Do not run the Docker daemon with --iptables=false parameter. For example, do not start the Docker daemon as below:

dockerd --iptables=false

Default Value:

By default, iptables is set to true.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|4

Plugin: Unix

Control ID: a2c6c6ea215d0f681dffcc612becebf3ded6762d443fb16fce82a86cdf43e886