IP white list for docker containers with iptables and ipset

Question

I want to restrict access to docker container ports just from specified IPs.

I set up iptables rules with ipset.

I have exposed the port 8888. The requests from port 8888 are forwarded to simple docker web server.

I defined ipset with white list IP addresses.

ipset create testfilter iphash
ipset add testfilter 192.168.52.65

Then I created iptables rules. New chain with name testfilter, FORWARD rule with port 8888 should jump to testfilter. The first rule from testfilter chain should match IP from white list ipset. The second rule from testfilter chain should dropping communication when IP doesn't match with white list.

iptables -N testfilter
iptables -I FORWARD -p tcp --dport 8888 -j testfilter
iptables -A testfilter -m set --match-set test_ips src -j RETURN
iptables -A testfilter -j DROP

But port 8888 is still accessable from any IP. I also try to use INPUT rule instead of FORWARD rule, also remove --dport param from rule and put -m state --state NEW param instead of that. Any ideas how to fix that?

score 0 · Answer 1 · answered Jul 05 '17 at 18:00

0

You can access your 8888 port because your docker container is running on localhost and the FORWARD isn't blocking it. Please use -i option to specify lo interface.

answered Jul 05 '17 at 18:00

Rafael Brito Gomes

1

I didn't specify interface in iptables rules. I have a suspicion about ports. The port `8888` is mapped on `8000`. Probably `FORWARD` rule should be defined for port `8000`. – misco Jul 06 '17 at 08:57

IP white list for docker containers with iptables and ipset

1 Answers1