Restrict Internet Access - Docker Container
I have a situation to restrict internet access of the container in load balancer network. for example in that below picture
Only container4
-
Network creation for access internet
docker network create --subnet=172.19.0.0/16 internet
Network creation for block internet access
docker network create --internal --subnet 10.1.1.0/24 no-internet
If you want to connect docker container into internet
docker network connect internet container-nameIf you want to block internet access
docker network connect no-internet container-nameNote
in internal network we can't expose ports to connect outside world, please refer this question for more details
讨论(0) -
As found here, I got this to work with docker-compose. Save as
docker-compose.yml:version: '3' services: outgoing-wont-work: image: alpine networks: - no-internet command: ping -c 3 google.com # will crash internal-will-work: image: alpine networks: - no-internet command: ping -c 3 internal-and-external internal-and-external: image: alpine networks: - no-internet - internet command: ping -c 3 google.com networks: no-internet: driver: bridge internal: true internet: driver: bridgeThen run
docker-compose up -d,docker-compose pswill show something like this after a few seconds:Name Command State Ports ---------------------------------------------------------------------------------- dco_inet_internal-and-external_1 ping -c 3 google.com Exit 0 dco_inet_internal-will-work_1 ping -c 3 internal-and-ext ... Exit 0 dco_inet_outgoing-wont-work_1 ping -c 3 google.com Exit 1讨论(0) -
As stated in Bilal's answer, the internal network is a good solution if you do not need to expose the ports.
If you do need to expose the ports, the below solution using iptables does the job for my requirements:
docker network create --subnet 172.19.0.0/16 no-internet sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -j REJECT --reject-with icmp-port-unreachable sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -m state --state RELATED,ESTABLISHED -j RETURNThen add
--network no-internetwhen you run your docker container. For instance:
$ docker run -it --network no-internet ubuntu:focal /bin/bash root@9f2181f79985:/# apt update Err:1 http://archive.ubuntu.com/ubuntu focal InRelease Temporary failure resolving 'archive.ubuntu.com'讨论(0) -
Another option, if you need to expose ports on a container without internet access, but want to let it talk to other containers would be to provide a bogus DNS configuration. This isn't a perfect solution though, since it doesn't prevent direct IP access to the outside world.
docker-compose.yaml
version: '3' services: service1: image: alpine command: sh -c 'ping service2 -c 1; ping google.com -c 1' dns: 0.0.0.0 service2: image: alpine command: sh -c 'ping service1 -c 1; ping google.com -c 1' dns: 0.0.0.0isolated> docker-compose up Recreating isolated_service1_1 ... done Recreating isolated_service2_1 ... done Attaching to isolated_service2_1, isolated_service1_1 service1_1 | PING service2 (172.18.0.2) 56(84) bytes of data. service1_1 | 64 bytes from isolated_service2_1.isolated_default (172.18.0.2): icmp_seq=1 ttl=64 time=0.038 ms service1_1 | service1_1 | --- service2 ping statistics --- service1_1 | 1 packets transmitted, 1 received, 0% packet loss, time 0ms service1_1 | rtt min/avg/max/mdev = 0.038/0.038/0.038/0.000 ms service2_1 | PING service1 (172.18.0.3) 56(84) bytes of data. service2_1 | 64 bytes from isolated_service1_1.isolated_default (172.18.0.3): icmp_seq=1 ttl=64 time=0.093 ms service2_1 | service2_1 | --- service1 ping statistics --- service2_1 | 1 packets transmitted, 1 received, 0% packet loss, time 0ms service2_1 | rtt min/avg/max/mdev = 0.093/0.093/0.093/0.000 ms service1_1 | ping: google.com: Temporary failure in name resolution service2_1 | ping: google.com: Temporary failure in name resolution isolated_service1_1 exited with code 2 isolated_service2_1 exited with code 2讨论(0)
加载中...
- 热议问题