RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/container-optimized-os/docs/how-to/firewall below:

Configuring the host firewall | Container-Optimized OS

Configuring the host firewall

Stay organized with collections Save and categorize content based on your preferences.

By default, the Container-Optimized OS host firewall allows outgoing connections and accepts incoming connections only through the SSH service. You can see the exact host firewall configuration by running sudo iptables -L on a VM instance running Container-Optimized OS.

Warning: The default firewall configuration might be different if you are using Container-Optimized OS through another Google Cloud product like Containers on Compute Engine or Google Kubernetes Engine. Refer to the product specific documentation for more details.

Keep in mind that the host firewall is different from Virtual Private Cloud firewall rules, which must also be configured for your applications to work correctly. See the Firewall Rules Overview to learn more about Virtual Private Cloud firewall rules.

Running containers in Docker's default network namespace

If you are deploying a container on Container-Optimized OS that must be accessible over the network and you are not using Docker's --net=host option, run your container with Docker's -p option. With this option, Docker will automatically configure the host firewall to expose your application on the network. See the Docker run reference to learn more about Docker run options.

In the following example, the nginx container will be accessible on the network on port 80:

docker run --rm -d -p 80:80 --name=nginx nginx

Note: If IPv6 address is used for accessing the deployed container over the network, you must explicitly configure the host firewall using ip6tables commands like "ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT".This is because Docker does not automatically configure the IPv6 rules for host firewall to expose your application on the network due to known limitation. Running containers in the host's network namespace

If you are deploying a container on Container-Optimized OS that must be accessible over the network and you are using Docker's --net=host option, you must explicitly configure the host firewall yourself.

You can configure the host firewall with standard iptables commands. As with most GNU/Linux distributions, firewall rules configured with iptables commands will not persist across reboots. To ensure that the host firewall is correctly configured on every boot, configure the host firewall in your cloud-init configuration. Consider the following cloud-init example:

#cloud-config

write_files:
- path: /etc/systemd/system/config-firewall.service
  permissions: 0644
  owner: root
  content: |
    [Unit]
    Description=Configures the host firewall

    [Service]
    Type=oneshot
    RemainAfterExit=true
    ExecStart=/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- path: /etc/systemd/system/myhttp.service
  permissions: 0644
  owner: root
  content: |
    [Unit]
    Description=My HTTP service
    After=docker.service config-firewall.service
    Wants=docker.service config-firewall.service

    [Service]
    Restart=always
    ExecStart=/usr/bin/docker run --rm --name=%n --net=host nginx
    ExecStop=-/usr/bin/docker exec %n -s quit

runcmd:
- systemctl daemon-reload
- systemctl start myhttp.service

Using this cloud-init configuration with a VM running Container-Optimized OS will result in the following behaviors on every boot:

The host firewall will be configured to allow incoming TCP connections on port 80.
An nginx container will listen on port 80 and respond to incoming HTTP requests.

Refer to Creating and configuring instances to learn more about using cloud-init on Container-Optimized OS.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["By default, Container-Optimized OS allows outgoing connections and only accepts incoming connections via SSH, as seen with the `sudo iptables -L` command, but this might vary with other Google Cloud products."],["Using Docker's `-p` option automatically configures the host firewall for network accessibility when deploying a container on Container-Optimized OS without `--net=host`."],["For IPv6 accessibility, the host firewall must be manually configured using `ip6tables` commands because Docker does not automatically configure the IPv6 rules."],["When deploying a container on Container-Optimized OS with Docker's `--net=host` option, you must manually configure the host firewall with `iptables` commands."],["To ensure persistent host firewall configurations across reboots when using `iptables` commands, utilize `cloud-init` to set up the firewall rules, such as allowing incoming TCP connections on port 80."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4