I want to restrict access to docker container ports just from specified IPs.
I set up iptables rules with ipset.
I have exposed the port 8888. The requests from port 8888 are forwarded to simple docker web server.
I defined ipset with white list IP addresses.
ipset create testfilter iphash
ipset add testfilter 192.168.52.65
Then I created iptables rules. New chain with name testfilter
, FORWARD
rule with port 8888
should jump to testfilter
. The first rule from testfilter
chain should match IP from white list ipset. The second rule from testfilter
chain should dropping communication when IP doesn't match with white list.
iptables -N testfilter
iptables -I FORWARD -p tcp --dport 8888 -j testfilter
iptables -A testfilter -m set --match-set test_ips src -j RETURN
iptables -A testfilter -j DROP
But port 8888
is still accessable from any IP. I also try to use INPUT
rule instead of FORWARD
rule, also remove --dport
param from rule and put -m state --state NEW
param instead of that. Any ideas how to fix that?