2

I am using docker to run a few server apps on a raspberryPi with ports exposed to the open internet. If an attacker were to successfully infiltrate my docker containers, I would like to be certain that they cannot access other devices on my network.

Therefore, I would like to know how to lock down my docker containers so that they can only send outbound traffic to each other (when necessary, and in some cases it is not) and to the internet, but not to other devices in my LAN.

If there is a better way to achieve my end goal, I am all ears for that, also.

caps
  • 121
  • 2
  • does the raspberry pi have to be on the same LAN as you're other devices? In other words is it just the containers that need to be isolated but you want the pi's connectivity unchanged or doesn't it matter? – anotherusername Feb 09 '21 at 10:35
  • In this case, no, it does not need to be on the same LAN. I have considered putting it on a guest network, although with my router that would mean forcing it to use Wifi (unless I'm overlooking some settings somewhere) – caps Feb 11 '21 at 01:17
  • Does your router model have any mention of VLAN or DMZ functionality? SMB & 'prosumer' routers would have it but ISP issued ones would likely not or have the functionality removed from my experience – anotherusername Feb 11 '21 at 02:23
  • There's a DMZ "on/off" switch (I'm assuming config would appear if I enabled it) but I don't see anything about VLAN in the config page or even in the manual. – caps Feb 12 '21 at 17:17
  • Odd usually there'd be something in the UI or instructions about it. If you like I can have a quick squiz at the manual for you if you let me know the model. It might have been feature locked down if you were provided the router by ISP or MSP maybe. – anotherusername Feb 14 '21 at 20:34

1 Answers1

0

Isn't this the default case? There is a default bridge allowing containers to communicate with each other and you can create arbitrary numbers of bridges to constrain each docker container.

From the documentation:

In terms of Docker, a bridge network uses a software bridge which allows containers connected to the same bridge network to communicate, while providing isolation from containers which are not connected to that bridge network. The Docker bridge driver automatically installs rules in the host machine so that containers on different bridge networks cannot communicate directly with each other.

Also no upstream connectivity:

By default, traffic from containers connected to the default bridge network is not forwarded to the outside world. To enable forwarding, you need to change two settings. These are not Docker commands and they affect the Docker host’s kernel.

As for all security assertions, I would test to make sure it behaves as expected.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36