Dockerコンテナ内で service iptables stop/status をエラーにしない

セントス6など前提で。

CAP_NET_ADMIN ケーパビリティを与える

$ docker run --cap-add=NET_ADMIN --rm -ti hoge_image /bin/bash

IPTABLES_MODULES_UNLOAD=no を /etc/sysconfig/iptables-config に書き込む

bash-4.1# echo 'IPTABLES_MODULES_UNLOAD=no' >> /etc/sysconfig/iptables-config
bash-4.1# service iptables stop
iptables: Setting chains to policy ACCEPT: nat filter      [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
bash-4.1# service iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Serverspec のお供にどうぞ。Docker内ではスキップしてる人が多そうだが。