--- /etc/univention/templates/files/etc/security/packetfilter.d/20_docker.sh.org	2019-09-03 21:08:30.000000000 +0200
+++ /etc/univention/templates/files/etc/security/packetfilter.d/20_docker.sh	2019-09-04 22:04:30.183001000 +0200
@@ -32,37 +32,49 @@
 	# create docker chains if missing
 	iptables --wait -L DOCKER > /dev/null 2> /dev/null || iptables --wait -N DOCKER
 	iptables --wait -L DOCKER -t nat > /dev/null 2> /dev/null || iptables --wait -N DOCKER -t nat
-	iptables --wait -L DOCKER-ISOLATION -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION -t filter
+	iptables --wait -L DOCKER-ISOLATION-STAGE-1 -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION-STAGE-1 -t filter
+	iptables --wait -L DOCKER-ISOLATION-STAGE-2 -t filter > /dev/null 2> /dev/null || iptables --wait -N DOCKER-ISOLATION-STAGE-2 -t filter
 
 	iptables --wait -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 	iptables --wait -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+
+	for NETID in $(docker network ls --filter driver=bridge --format '{{.ID}}'); do
+		IF=$(docker network inspect $NETID --format='{{with index .Options "com.docker.network.bridge.name"}}{{.}}{{else}}{{.Id | printf "br-%.12s"}}{{end}}')
+		IP=$(docker network inspect $NETID --format='{{range .IPAM.Config}}{{.Subnet}}{{end}}')
+		iptables --wait -A FORWARD -o "$IF" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+		iptables --wait -A FORWARD -o "$IF" -j DOCKER
+		iptables --wait -A FORWARD -i "$IF" ! -o "$IF" -j ACCEPT
+		iptables --wait -A FORWARD -i "$IF" -o "$IF" -j ACCEPT
+		iptables --wait -I DOCKER -t nat -i "$IF" -j RETURN
+		iptables --wait -t nat -A POSTROUTING -s "$IP" ! -o "$IF" -j MASQUERADE
+		iptables --wait -A DOCKER-ISOLATION-STAGE-1 -i "$IF" ! -o "$IF" -j DOCKER-ISOLATION-STAGE-2
+		iptables --wait -A DOCKER-ISOLATION-STAGE-2 -o "$IF" -j DROP
+	done
+
 @!@
 import ipaddr
 docker0_net = ipaddr.IPv4Network(configRegistry.get('docker/daemon/default/opts/bip', '172.17.42.1/16'))
 docker_compose_net = ipaddr.IPv4Network(configRegistry.get('appcenter/docker/compose/network', '172.16.1.1/16'))
 mysql_port = configRegistry.get('mysql/config/mysqld/port', '3306')
-print '\tiptables --wait -t nat -A POSTROUTING -s %s/%s ! -o docker0 -j MASQUERADE' % (str(docker0_net.network), str(docker0_net.prefixlen))
 print '\tiptables --wait -A INPUT -s %s/%s -p tcp --dport %s -j ACCEPT  # allow MySQL for Docker Apps' % (str(docker0_net.network), str(docker0_net.prefixlen), mysql_port)
 print '\tiptables --wait -A INPUT -s %s/%s -p tcp --dport %s -j ACCEPT  # allow MySQL for Docker Compose Apps' % (str(docker_compose_net.network), str(docker_compose_net.prefixlen), mysql_port)
 @!@
-	iptables --wait -A FORWARD -o docker0 -j DOCKER
-	iptables --wait -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-	iptables --wait -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-	iptables --wait -A FORWARD -i docker0 -o docker0 -j ACCEPT
-	iptables --wait -I DOCKER-ISOLATION -j RETURN
-	iptables --wait -I DOCKER -t nat -i docker0 -j RETURN
-	iptables --wait -I FORWARD -j DOCKER-ISOLATION
+
+	iptables --wait -A DOCKER-ISOLATION-STAGE-1 -j RETURN
+	iptables --wait -A DOCKER-ISOLATION-STAGE-2 -j RETURN
+	iptables --wait -I FORWARD -j DOCKER-ISOLATION-STAGE-1
 }
 
 nat_container_rule() {
-	IP=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' "$1")
+	IP=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1")
 	NETID=$(docker inspect --format='{{range .NetworkSettings.Networks}}{{.NetworkID}}{{end}}' "$1")
+	IF=$(docker network inspect $NETID --format='{{with index .Options "com.docker.network.bridge.name"}}{{.}}{{else}}{{.Id | printf "br-%.12s"}}{{end}}')
 
 	# convert "443/tcp -> 0.0.0.0:40001" to "443 tcp 0.0.0.0 40001"
 	docker port "$1" | sed -re 's#[/>: -]+# #g' | \
 		while read localport proto addr containerport ; do
-			iptables --wait -t nat -A DOCKER ! -i docker0 -p "$proto" --dport "$containerport" -j DNAT --to-destination "$IP:$localport"
-			iptables --wait -t filter -A DOCKER -d "$IP/32" ! -i docker0 -o docker0 -p "$proto" --dport "$localport" -j ACCEPT
+			iptables --wait -t nat -A DOCKER ! -i "$IF" -p "$proto" --dport "$containerport" -j DNAT --to-destination "$IP:$localport"
+			iptables --wait -t filter -A DOCKER -d "$IP/32" ! -i "$IF" -o "$IF" -p "$proto" --dport "$localport" -j ACCEPT
 			iptables --wait -t nat -A POSTROUTING -s "$IP/32" -d "$IP/32" -p "$proto" --dport "$localport" -j MASQUERADE
 		done
 }