Restrict Internet Access - Docker Container

送分小仙女□ 提交于 2019-11-26 22:22:48

问题


I have a situation to restrict internet access of the container in load balancer network. for example in that below picture

Only container4 connects to the Internet; other three only communicate through container4 with the outside world. For example if container1 needs smtp support, it will forward smtp request to container4 to get access.

No container other than container4 should be allowed to access the Internet directly! This should be enforced on Docker level.

I believe it will be configurable on docker network creation, can any one explain how to achieve this?


回答1:


Network creation for access internet

docker network create --subnet=172.19.0.0/16 internet

Network creation for block internet access

docker network create --internal --subnet 10.1.1.0/24 no-internet

If you want to connect docker container into internet

docker network connect internet container-name

If you want to block internet access

docker network connect no-internet container-name

Note

in internal network we can't expose ports to connect outside world, please refer this question for more details




回答2:


As found here, I got this to work with docker-compose. Save as docker-compose.yml:

version: '3'

services:
  outgoing-wont-work:
    image: alpine
    networks:
      - no-internet
    command: ping -c 3 google.com # will crash

  internal-will-work:
    image: alpine
    networks:
      - no-internet
    command: ping -c 3 internal-and-external

  internal-and-external:
    image: alpine
    networks:
      - no-internet
      - internet
    command: ping -c 3 google.com

networks:
  no-internet:
    driver: bridge
    internal: true
  internet:
    driver: bridge

Then run docker-compose up -d, docker-compose ps will show something like this after a few seconds:

              Name                            Command               State    Ports
----------------------------------------------------------------------------------
dco_inet_internal-and-external_1   ping -c 3 google.com             Exit 0        
dco_inet_internal-will-work_1      ping -c 3 internal-and-ext ...   Exit 0        
dco_inet_outgoing-wont-work_1      ping -c 3 google.com             Exit 1      


来源:https://stackoverflow.com/questions/39913757/restrict-internet-access-docker-container

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!