Restrict Internet Access - Docker Container

后端 未结 4 1696
南笙
南笙 2020-11-27 04:42

I have a situation to restrict internet access of the container in load balancer network. for example in that below picture

Only container4

相关标签:
4条回答
  • 2020-11-27 05:09

    Network creation for access internet

    docker network create --subnet=172.19.0.0/16 internet

    Network creation for block internet access

    docker network create --internal --subnet 10.1.1.0/24 no-internet

    If you want to connect docker container into internet

    docker network connect internet container-name
    

    If you want to block internet access

    docker network connect no-internet container-name
    

    Note

    in internal network we can't expose ports to connect outside world, please refer this question for more details

    0 讨论(0)
  • 2020-11-27 05:13

    As found here, I got this to work with docker-compose. Save as docker-compose.yml:

    version: '3'
    
    services:
      outgoing-wont-work:
        image: alpine
        networks:
          - no-internet
        command: ping -c 3 google.com # will crash
    
      internal-will-work:
        image: alpine
        networks:
          - no-internet
        command: ping -c 3 internal-and-external
    
      internal-and-external:
        image: alpine
        networks:
          - no-internet
          - internet
        command: ping -c 3 google.com
    
    networks:
      no-internet:
        driver: bridge
        internal: true
      internet:
        driver: bridge
    

    Then run docker-compose up -d, docker-compose ps will show something like this after a few seconds:

                  Name                            Command               State    Ports
    ----------------------------------------------------------------------------------
    dco_inet_internal-and-external_1   ping -c 3 google.com             Exit 0        
    dco_inet_internal-will-work_1      ping -c 3 internal-and-ext ...   Exit 0        
    dco_inet_outgoing-wont-work_1      ping -c 3 google.com             Exit 1      
    
    0 讨论(0)
  • 2020-11-27 05:32

    As stated in Bilal's answer, the internal network is a good solution if you do not need to expose the ports.

    If you do need to expose the ports, the below solution using iptables does the job for my requirements:

    docker network create --subnet 172.19.0.0/16 no-internet
    sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -j REJECT --reject-with icmp-port-unreachable
    sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -m state --state RELATED,ESTABLISHED -j RETURN
    

    Then add

    --network no-internet
    

    when you run your docker container. For instance:

    $ docker run -it --network no-internet ubuntu:focal /bin/bash
    root@9f2181f79985:/# apt update
    Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
      Temporary failure resolving 'archive.ubuntu.com'
    
    0 讨论(0)
  • 2020-11-27 05:33

    Another option, if you need to expose ports on a container without internet access, but want to let it talk to other containers would be to provide a bogus DNS configuration. This isn't a perfect solution though, since it doesn't prevent direct IP access to the outside world.

    docker-compose.yaml

    version: '3'
    
    services:
      service1:
        image: alpine
        command: sh -c 'ping service2 -c 1; ping google.com -c 1'
        dns: 0.0.0.0
      service2:
        image: alpine
        command: sh -c 'ping service1 -c 1; ping google.com -c 1'
        dns: 0.0.0.0
    
    isolated> docker-compose up
    Recreating isolated_service1_1 ... done                                                                                 Recreating isolated_service2_1 ... done                                                                                 Attaching to isolated_service2_1, isolated_service1_1
    service1_1  | PING service2 (172.18.0.2) 56(84) bytes of data.
    service1_1  | 64 bytes from isolated_service2_1.isolated_default (172.18.0.2): icmp_seq=1 ttl=64 time=0.038 ms
    service1_1  |
    service1_1  | --- service2 ping statistics ---
    service1_1  | 1 packets transmitted, 1 received, 0% packet loss, time 0ms
    service1_1  | rtt min/avg/max/mdev = 0.038/0.038/0.038/0.000 ms
    service2_1  | PING service1 (172.18.0.3) 56(84) bytes of data.
    service2_1  | 64 bytes from isolated_service1_1.isolated_default (172.18.0.3): icmp_seq=1 ttl=64 time=0.093 ms
    service2_1  |
    service2_1  | --- service1 ping statistics ---
    service2_1  | 1 packets transmitted, 1 received, 0% packet loss, time 0ms
    service2_1  | rtt min/avg/max/mdev = 0.093/0.093/0.093/0.000 ms
    service1_1  | ping: google.com: Temporary failure in name resolution
    service2_1  | ping: google.com: Temporary failure in name resolution
    isolated_service1_1 exited with code 2
    isolated_service2_1 exited with code 2
    
    0 讨论(0)
提交回复
热议问题