Clever Geek Handbook

How to deny network access inside a docker container?

I need to prevent my docker containers from accessing the outside world. This means that the container shouldn't do things likewget http://www.google.com

I used to follow instructions from Jerome Petzanio by adding an iptables rule like:

-A FORWARD -s 10.0.3.0/24 -j DROP

This doesn't seem to work anymore. I may not know how to find the correct IP for docker / lxc. I am running docker 1.1.2 with lxc driver .

One way to do this for some is to use --net="none"

. However, this doesn't work for me, as I still need the adapter eth0

and its associated HWaddr in my container.

My current iptables:

*mangle
:PREROUTING ACCEPT [12966683:10182972515]
:INPUT ACCEPT [12966640:10182952166]
:FORWARD ACCEPT [42:20285]
:OUTPUT ACCEPT [12323852:11636850769]
:POSTROUTING ACCEPT [12323894:11636871054]
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Sep  1 13:11:46 2014
# Generated by iptables-save v1.4.21 on Mon Sep  1 13:11:46 2014
*nat
:PREROUTING ACCEPT [5:300]
:INPUT ACCEPT [114:6824]
:OUTPUT ACCEPT [19:1152]
:POSTROUTING ACCEPT [19:1152]
:DOCKER - [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Sep  1 13:11:46 2014
# Generated by iptables-save v1.4.21 on Mon Sep  1 13:11:46 2014
*filter
:INPUT ACCEPT [714:163415]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [712:338517]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -s 172.17.0.0/16 -j DROP
-A FORWARD -s 10.0.3.0/24 -j DROP
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 172.17.42.1/32 -j DROP
-A FORWARD -s 10.0.3.1/32 -j DROP
COMMIT

And I can see these docker0 and lxcbr0 adapters with ifconfig:

docker0   Link encap:Ethernet  HWaddr 56:84:7a:fe:97:99
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:43273 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3061463 (3.0 MB)  TX bytes:197800 (197.8 KB)

lxcbr0    Link encap:Ethernet  HWaddr 26:e3:8d:6d:45:26
          inet addr:10.0.3.1  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::24e3:8dff:fe6d:4526/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)
+3


source to share


No one has answered this question yet

See similar questions:

or similar:



More articles:


All Articles