diff --git a/README.md b/README.md
index aac528a..a5e4b3c 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,6 @@ dockerfiles
 - [ ] freegeoip
 - [ ] gitolite
 - [ ] hashcat
-- [ ] iptables
 - [ ] irc
 - [ ] tshark
 
@@ -38,6 +37,7 @@ dockerfiles
 - [x] hubot
 - [x] hydra
 - [x] influxdb
+- [x] iptables
 - [x] joomla
 - [x] mantisbt
 - [x] monit
diff --git a/iptables/Dockerfile b/iptables/Dockerfile
new file mode 100644
index 0000000..326bbe9
--- /dev/null
+++ b/iptables/Dockerfile
@@ -0,0 +1,21 @@
+#
+# Dockerfile for iptables
+#
+
+FROM alpine
+MAINTAINER kev <noreply@datageek.info>
+
+RUN apk add -U iproute2
+
+ENV TCP_PORTS 80,443
+ENV UDP_PORTS 53
+ENV RATE 1mbit
+ENV BURST 1mbit
+ENV LATENCY 50ms
+ENV INTERVAL 60
+
+CMD iptables -F \
+    && iptables -A OUTPUT -p tcp -m state --state NEW -m multiport ! --dports $TCP_PORTS -j DROP \
+    && iptables -A OUTPUT -p udp -m state --state NEW -m multiport ! --dports $UDP_PORTS -j DROP \
+    && tc qdisc add dev eth0 root tbf rate $RATE burst $BURST latency $LATENCY \
+    && watch -n $INTERVAL tc -s qdisc ls dev eth0
diff --git a/iptables/README.md b/iptables/README.md
new file mode 100644
index 0000000..77727a4
--- /dev/null
+++ b/iptables/README.md
@@ -0,0 +1,31 @@
+iptables
+========
+
+- iptables: filter ports
+- tc: control traffic
+
+## docker-compose.yml
+
+```
+shadowsocks:
+  image: vimagick/shadowsocks-libev
+  environment:
+    - DNS_ADDR=8.8.8.8
+    - METHOD=chacha20
+    - PASSWORD=GUB61zGB2
+  net: container:iptables
+  restart: always
+
+iptables:
+  image: vimagick/iptables
+  ports:
+    - "8388:8388"
+  environment:
+    - TCP_PORTS=80,443
+    - UDP_PORTS=53
+    - RATE=4mbit
+    - BURST=4mbit
+  cap_add:
+    - NET_ADMIN
+  restart: always
+```