I have a server A, and it runs a container B (say an SSH server). I want to allow people doing some computation on B that does not access the network.
Using docker run --publish=${MY_PORT}:22 ..., I expose container B's port to allow people to connect into B. This way people can ssh into B using A's ${MY_PORT} port. However, people can initiate TCP connections to other servers (e.g. 8.8.8.8), so they can use server A a jump host to do bad things.
Is it possible to isolate container B's network? That is, only allow access to the published port, and deny all other network traffic. I am thinking of something similar to --network=none --publish=${MY_PORT}:22. Is it possible to achieve this without editing Docker's iptables?
