I have a situation to restrict internet access of the container in load balancer network. for example in that below picture
Only container4 connects to the Internet; other three only communicate through container4 with the outside world. For example if container1 needs smtp support, it will forward smtp request to container4 to get access.
No container other than container4 should be allowed to access the Internet directly! This should be enforced on Docker level.
I believe it will be configurable on docker network creation, can any one explain how to achieve this?
Network creation for access internet
docker network create --subnet=172.19.0.0/16 internet
Network creation for block internet access
docker network create --internal --subnet 10.1.1.0/24 no-internet
If you want to connect docker container into internet
docker network connect internet container-name
If you want to block internet access
docker network connect no-internet container-name
Note
in internal network we can't expose ports to connect outside world, please refer this question for more details
As found here, I got this to work with docker-compose. Save as docker-compose.yml:
version: '3'
services:
outgoing-wont-work:
image: alpine
networks:
- no-internet
command: ping -c 3 google.com # will crash
internal-will-work:
image: alpine
networks:
- no-internet
command: ping -c 3 internal-and-external
internal-and-external:
image: alpine
networks:
- no-internet
- internet
command: ping -c 3 google.com
networks:
no-internet:
driver: bridge
internal: true
internet:
driver: bridge
Then run docker-compose up -d, docker-compose ps will show something like this after a few seconds:
Name Command State Ports
----------------------------------------------------------------------------------
dco_inet_internal-and-external_1 ping -c 3 google.com Exit 0
dco_inet_internal-will-work_1 ping -c 3 internal-and-ext ... Exit 0
dco_inet_outgoing-wont-work_1 ping -c 3 google.com Exit 1
来源:https://stackoverflow.com/questions/39913757/restrict-internet-access-docker-container