What is the best way to limit the IP addresses which can be access from within a docker container?

0

I have an answer which will limit docker containers to only be able to access a single IP address outside the host. Using this iptables rule on the host:

iptables -I FORWARD -i docker0 ! -d 8.8.8.8 -j DROP

means that from inside any docker containers it is only possible to access the IP address 8.8.8.8.

This is fairly drastic - basically, if the destination is NOT 8.8.8.8 then drop the packet.

What is the best way that I can set up rules which would allow me limit the containers to a certain number of IP addresses?

bailey86

Posted 2015-06-02T14:41:22.373

Reputation: 3

i'm no expert but how about removing the exclamation mark and changing the end from DROP to ALLOW then you can add other rules for other IP Addresses. And you can change the forward policy to drop too. So that the ones you allow are exceptions that you allow. So you have a whitelist – barlop – 2015-06-02T15:00:14.290

This is an unusual requirement. I have seen a solution that could be adapted to your case without breaking Docker's link facility. Could you tell us more about your application and why it requires a white list for out-boud connections? – Arnaud Meuret – 2015-07-27T14:24:16.537

Answers

0

I needed to ensure that the dev copy of the website which was in the docker container could not access any live resources - Paypal, various API's etc. The code in the website was legacy and many things/URL's were hard-coded.

The way I achieved this was to have something like this in the build script:

echo
echo "Setting up firewall rules for all docker containers..."
sudo ipset create dockerdests hash:ip -exist
sudo ipset add dockerdests x.x.x.x -exist
sudo ipset add dockerdests y.y.y.y -exist
sudo ipset add dockerdests 8.8.8.8 -exist
sudo ipset add dockerdests 8.8.4.4 -exist
sudo iptables -I FORWARD 1 -i docker0 -m set --match-set dockerdests dst -j ACCEPT
sudo iptables -I FORWARD 2 -i docker0 -j DROP

where x.x.x.x and y.y.y.y are dev resources.

bailey86

Posted 2015-06-02T14:41:22.373

Reputation: 3

Asked: 2015-06-02T14:41:22.373

Viewed: 921 times

Active: 2015-07-28T15:30:28.037