loading...
Cover image for Blocking external connections to Docker

Blocking external connections to Docker

renanpessoa profile image Renan Pessoa Updated on ・1 min read

On Linux, Docker manipulates iptables rules to provide network isolation, by default, all external source IPs are allowed to connect to the Docker daemon :/

To allow only a specific IP or network to access the containers insert the rules below in iptables file /etc/sysconfig/iptables

In this case we will block all connections on port 80 and allow only the Office IP.

-N DOCKER-USER
-I DOCKER-USER -p tcp --dport 80  -j DROP
-I DOCKER-USER -p tcp --dport 80 -s 185.2.46.131 -m comment --comment "My Office" -j ACCEPT

After add the rules restart iptables and Docker, after it check the access.

What we are doing here

-N DOCKER-USER —  The first rule create the chain used by Docker
-I DOCKER-USER -p tcp --dport 80 -j DROP —  All connections in port 80 are blocked
-I DOCKER-USER -p tcp --dport 80 -s 185.2.46.131 -m comment --comment "My Office" -j ACCEPT —  Allow Office IP

Use iptables -nL DOCKER-USER to check the rules:

[root@server ~]# iptables -nL DOCKER-USER
Chain DOCKER-USER (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  185.2.46.131    0.0.0.0/0            tcp dpt:80 /* My Office */
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
RETURN     all  --  0.0.0.0/0            0.0.0.0/0          
[root@server ~]#

Now all external connections on port 80 are blocked
Ok

Posted on by:

Discussion

pic
Editor guide