Configuring the host firewall

Stay organized with collections Save and categorize content based on your preferences.

By default, the Container-Optimized OS host firewall allows outgoing connections and accepts incoming connections only through the SSH service. You can see the exact host firewall configuration by running sudo iptables -L on a VM instance running Container-Optimized OS.

Keep in mind that the host firewall is different from Virtual Private Cloud firewall rules, which must also be configured for your applications to work correctly. See the Firewall Rules Overview to learn more about Virtual Private Cloud firewall rules.

Running containers in Docker's default network namespace

If you are deploying a container on Container-Optimized OS that must be accessible over the network and you are not using Docker's --net=host option, run your container with Docker's -p option. With this option, Docker will automatically configure the host firewall to expose your application on the network. See the Docker run reference to learn more about Docker run options.

In the following example, the nginx container will be accessible on the network on port 80:

docker run --rm -d -p 80:80 --name=nginx nginx

Running containers in the host's network namespace

If you are deploying a container on Container-Optimized OS that must be accessible over the network and you are using Docker's --net=host option, you must explicitly configure the host firewall yourself.

You can configure the host firewall with standard iptables commands. As with most GNU/Linux distributions, firewall rules configured with iptables commands will not persist across reboots. To ensure that the host firewall is correctly configured on every boot, configure the host firewall in your cloud-init configuration. Consider the following cloud-init example:


- path: /etc/systemd/system/config-firewall.service
  permissions: 0644
  owner: root
  content: |
    Description=Configures the host firewall

    ExecStart=/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- path: /etc/systemd/system/myhttp.service
  permissions: 0644
  owner: root
  content: |
    Description=My HTTP service
    After=docker.service config-firewall.service
    Wants=docker.service config-firewall.service

    ExecStart=/usr/bin/docker run --rm --name=%n --net=host nginx
    ExecStop=-/usr/bin/docker exec %n -s quit

- systemctl daemon-reload
- systemctl start myhttp.service

Using this cloud-init configuration with a VM running Container-Optimized OS will result in the following behaviors on every boot:

  • The host firewall will be configured to allow incoming TCP connections on port 80.
  • An nginx container will listen on port 80 and respond to incoming HTTP requests.

Refer to Creating and configuring instances to learn more about using cloud-init on Container-Optimized OS.