Blocking external connections to Docker

On Linux, Docker manipulates iptables rules to provide network isolation, by default, all external source IPs are allowed to connect to the Docker daemon :/

To allow only a specific IP or network to access the containers insert the rules below in iptables file /etc/sysconfig/iptables

In this case we will block all connections on port 80 and allow only the Office IP.

-N DOCKER-USER
-I DOCKER-USER -p tcp --dport 80  -j DROP
-I DOCKER-USER -p tcp --dport 80 -s 185.2.46.131 -m comment --comment "My Office" -j ACCEPT

After add the rules restart iptables and Docker, after it check the access.

What we are doing here

-N DOCKER-USER —  The first rule create the chain used by Docker
-I DOCKER-USER -p tcp --dport 80 -j DROP —  All connections in port 80 are blocked
-I DOCKER-USER -p tcp --dport 80 -s 185.2.46.131 -m comment --comment "My Office" -j ACCEPT —  Allow Office IP

Use iptables -nL DOCKER-USER to check the rules:

[root@server ~]# iptables -nL DOCKER-USER
Chain DOCKER-USER (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  185.2.46.131    0.0.0.0/0            tcp dpt:80 /* My Office */
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
RETURN     all  --  0.0.0.0/0            0.0.0.0/0          
[root@server ~]#

Now all external connections on port 80 are blocked

GIF