bluenote
Posts: 99
Joined: Thu Feb 05, 2015 8:25 am

iptables and docker container tagging by UID

Fri Aug 16, 2019 5:35 pm

Hi folks. I've been asking this everywhere and not getting any responses, and so this is my last hope.

I want to use iptables to match based on UID for running container, and I’m using DSCP tagging for this (and I have configured the container to run as the user). But I’m afraid I don’t know ip tables all that well, and understand what docker does to iptables even less. I hope someone can help.

This is what I was doing before using docker to DSCP tag my application by running user: sudo iptables -t mangle -A OUTPUT -p tcp -m owner --uid-owner transmission -j DSCP --set-dscp 0x10

I’m afraid now I don’t know how to replicate this functionality.

Indeed, processes running under user “transmission” that are not running in docker do indeed get tagged properly.

thanks

epoch1970
Posts: 4145
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: iptables and docker container tagging by UID

Fri Aug 16, 2019 8:58 pm

Probably not the best solution but if you have “iptables: false” in daemon.json, the docker engine will not attempt altering the existing ruleset in any way.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

bluenote
Posts: 99
Joined: Thu Feb 05, 2015 8:25 am

Re: iptables and docker container tagging by UID

Tue Aug 20, 2019 6:28 pm

Thanks for the suggestion. I do want to continue to have docker to manage it's communications because well, I'm not sure what evils accrue if I don't, heh. But really I'd rather stay standard and just figure out which table/chain I could use to tag the traffic. You'd be surprised how many placesI have asked, and it's almost like, barely anyone knows enough about iptables to really know how it works, but moreso just about how to navigate how it's usually set up. :/

Return to “General discussion”