# NAT table used by Docker to route the traffic *nat :PREROUTING ACCEPT :INPUT ACCEPT :OUTPUT ACCEPT :DOCKER - # Whitelist to access the Docker resources :DOCKER-BLOCK - # Allow Portainer agent administration from HQ only -A DOCKER-BLOCK -p tcp --dport 9001 --source xxx.xxx.xxx.xxx -j DOCKER # First check the whitelist then block the traffic to the other chains :POSTROUTING ACCEPT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK # Default policy, to block any traffic to Docker interfaces -A PREROUTING -m addrtype --dst-type LOCAL -j RETURN COMMIT # Filter table *filter # Incoming chain :INPUT DROP # Allow any traffic for the localhost interface -A INPUT -i lo -j ACCEPT # Allow any established and related connection traffic -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED # Allow incoming PING from anywhere -A INPUT -p icmp -j ACCEPT # Allow SSH connection from anywhere -A INPUT -p tcp --dport 22222 -j ACCEPT # Allow DNS requests from authorized hosts only (no NAT from docker, host interface) -A INPUT -p udp --dport 53 --source xxx.xxx.xxx.xxx -j ACCEPT # Forwarding chain :FORWARD DROP # Output chain :OUTPUT ACCEPT # Save all the rules COMMIT