Block external access to docker containers [closed]

Answer 1

Rather than doing this with IP tables you could use the docker network create NETWORK command to create a network to connect your apps to as well as your proxy. Also don't expose the apps on any ports. The only container you should expose is your proxy. From within the proxy you can then route traffic using the container name as a hostname. Each container on the same network can be reached by other containers.

For example if

• I have container A which has a name of my-service and a service running on port 3000 and no ports published to the host
• Container B which is a proxy running on port 80 published to the host. My proxy can pass requests to http://my-service:3000 and it will route traffic to the container.
• If I try to go to http://mydomain:3000 this wont work as ports have not been exposed and the only way to reach the app is via the proxy on port 80

I'd suggest taking a read of https://docs.docker.com/engine/userguide/networking/work-with-networks/ as this explains how to get started with networking.

Full Disclosure: I run this kind of setup on my personal VPS and cannot access my containers via ports directly. Using the built in docker networking will probably play better than messing around with your IP tables

Hope this is useful.

Dylan

Edit

I have generalised the process as I do not know the specifics of your setup with regards to proxies, network restrictions etc. I have also not gone into specific commands as the link above covers it better than I would.

Answer 2

I realize I'm responding to an old thread, but I've spent most of a morning frustrated by this problem. This post shows at the top of a google search, but I feel the accepted answer does not answer the OP's question, but instead offers a different design as a way of avoiding the problem stated in the original question. That solution requires standing up a new docker image to act as a gateway to the original docker.

It is possible the following information was not available at the time of the original question, but what I found from Docker.com is this link https://docs.docker.com/network/iptables/ which appears to answer the original question when it states:

" By default, all external source IPs are allowed to connect to the Docker daemon. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, the following rule restricts external access to all IP addresses except 192.168.1.1:

$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP"

and

"If you need to add rules which load before Docker’s rules, add them to the DOCKER-USER chain."

But regrettably, I have attempted that solution and it too does not appear to work for me on docker version 17.05.0-ce

Answer 3

Addition to comment by @Ezarate11 (since I dont have enough rep to comment), make sure the --dport is the port that is being forwarded to, not the port that is exposed.

For example, if your configuration is 0.0.0.0:64743->80, then you would need to do

sudo iptables -I DOCKER-USER -p tcp -i eth0 ! -s 192.27.27.90 --dport 80 -j REJECT

This detail alone took me a while to figure out, I didn't see this mentioned anywhere else.

Answer 4

As @dpg points out, this problem is frustating if you need to tackle it from a newbie point of view.

The main problem for me (as I try to resolve also the problems of @dpg's answer), is that the Docker documentation is confusing in two of the pages that address this (link1 and link2)

To summarize, and to save time for others, if you don't have a lot of knowledge, and fall into the "Docker and iptables", the answer is there, just that they have missed this: where ext_if is the name of the interface providing external connectivity to the host.

Instead, in the "Understand container communication" link, there is indeed a little text that exactly points that ext_if should be the network interface.

So, for me to limit the access to a docker exposed port (ex: 6782) (that means that the DOCKER-USER needs to be modified and not the common INPUT chain) to a certain IP (ex: 192.27.27.90) and restrict all others, I need to do this, which works in my case:

sudo iptables -I DOCKER-USER -p tcp -i eth0 ! -s 192.27.27.90 --dport 6782 -j REJECT

(Here I suppose that the network interface that communicates with the outside world is eth0 and that you want to REJECT instead of DROP).

If more clarification is needed, I will be glad to assist.