IPTABLES - How does the Docker port a:b work?

Question

I am learning iptables in combination with Docker. I am figuring out how the docker-compose host:port:port for port forwarding actually works. I understood it does some iptables magic. So I did a little test.

First I had this docker-compose.yml:

version: "3"
services:
  postgres:
    image: postgres:latest
    ports:
      - 127.0.0.1:5432:5432
    networks:
      - network
network:
  network:

When running this, iptables -S gives:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o br-bd4b05981a0f -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-bd4b05981a0f -j DOCKER
-A FORWARD -i br-bd4b05981a0f ! -o br-bd4b05981a0f -j ACCEPT
-A FORWARD -i br-bd4b05981a0f -o br-bd4b05981a0f -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-bd4b05981a0f -o br-bd4b05981a0f -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER-ISOLATION -i docker0 -o br-bd4b05981a0f -j DROP
-A DOCKER-ISOLATION -i br-bd4b05981a0f -o docker0 -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN

I verified that port 5432 was indeed not accessible over the internet and only on localhost. Great!

After this, I rebooted, cleared docker (docker system prune --all --volumes --force) and started with following docker-compose.yml:

version: "3"
services:
  postgres:
    image: postgres:latest
    ports:
      - 5432:5432
    networks:
      - network
network:
  network:

Note that 127.0.0.1: is no long present in this configuration. Now, when running iptables -S, I am getting exact the same configuration:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o br-6ada9a016213 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-6ada9a016213 -j DOCKER
-A FORWARD -i br-6ada9a016213 ! -o br-6ada9a016213 -j ACCEPT
-A FORWARD -i br-6ada9a016213 -o br-6ada9a016213 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-6ada9a016213 -o br-6ada9a016213 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER-ISOLATION -i docker0 -o br-6ada9a016213 -j DROP
-A DOCKER-ISOLATION -i br-6ada9a016213 -o docker0 -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN

However, this time, the service is accessible via internet. This is intended as per the docker-compose.yml I am using this time. However, the iptables configuration is exact the same as the one above. Strange?

How is it possible that two exact iptables configurations have different behavior? I guess I am missing some piece to understand the specifics of the Docket port forwarding functionality.

Answer 1

Have a look at the nat table with iptables -L -t nat.