iCompaas Support

Profile Applicability:

• Level 1 
  

Description:

Docker requires the ability to modify iptables in order to create the necessary network rules for container communication. This configuration ensures that containers can communicate with each other and with external networks, as required.

Rationale:

Allowing Docker to modify iptables rules ensures that containers can be networked together in a secure manner. If Docker is not allowed to modify iptables, it may prevent container communication or disrupt networking functionality.

Impact:

Pros:

• Ensures that Docker's network management works as intended, providing the necessary isolation and connectivity between containers.
  

Cons:

• Trust in Docker’s ability to securely manage iptables rules.
  

Default Value:

By default, Docker is allowed to manage iptables rules unless explicitly disabled in the Docker configuration.

Pre-requisites:

• Administrative access to the Docker host system.
  

Remediation:

Test Plan:

Using AWS Console:

• Log in to the EC2 instance running Docker.
  

• Verify if Docker is configured to modify iptables by running the following command:
  

  docker info | grep "iptables"

  
  

Using AWS CLI:

• Connect to the EC2 instance where Docker is running.
  

• Run the following command to check Docker's iptables configuration:
  

  docker info | grep "iptables"

  
  

Implementation Plan:

Using AWS Console:

• Log in to the EC2 instance.
  

Modify the Docker daemon configuration file /etc/docker/daemon.json to allow Docker to manage iptables:

{
  "iptables": true
}

• Restart Docker to apply the changes:
  
  

Using AWS CLI:

• Use SSM to modify the Docker configuration and restart Docker:
  

  aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"iptables\": true}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

  
  

Backout Plan:

Using AWS Console:

• Log in to the EC2 instance.
  

Modify the Docker daemon configuration file /etc/docker/daemon.json to disable Docker's management of iptables:

{
  "iptables": false
}

• Restart Docker:
  
  

Using AWS CLI:

• Use SSM to revert the Docker configuration and restart Docker:
  

  aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"iptables\": false}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

  
  

References:

• Docker Networking Documentation
  

• CIS Docker Benchmark