# NAT table used by Docker to route the traffic
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:DOCKER -
# Whitelist to access the Docker resources
:DOCKER-BLOCK -
# Allow Portainer agent administration from HQ only
-A DOCKER-BLOCK -p tcp --dport 9001 --source xxx.xxx.xxx.xxx -j DOCKER
# First check the whitelist then block the traffic to the other chains
:POSTROUTING ACCEPT
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK
# Default policy, to block any traffic to Docker interfaces
-A PREROUTING -m addrtype --dst-type LOCAL -j RETURN
COMMIT
# Filter table
*filter
# Incoming chain
:INPUT DROP
# Allow any traffic for the localhost interface
-A INPUT -i lo -j ACCEPT
# Allow any established and related connection traffic
-A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Allow incoming PING from anywhere
-A INPUT -p icmp -j ACCEPT
# Allow SSH connection from anywhere
-A INPUT -p tcp --dport 22222 -j ACCEPT
# Allow DNS requests from authorized hosts only (no NAT from docker, host interface)
-A INPUT -p udp --dport 53 --source xxx.xxx.xxx.xxx -j ACCEPT
# Forwarding chain
:FORWARD DROP
# Output chain
:OUTPUT ACCEPT
# Save all the rules
COMMIT
