3

The goal is to create a docker container that can connect only to certain IP addresses (both on the local network that the host belongs to, and on the Internet).

The container itself does not need to be directly accessible or expose any ports.

Example:

  1. Docker host machine 192.168.1.100
  2. Some device on 192.168.1.150 e.g. an IP camera
  3. Some cloud VPS on <static_ip>

— need to create a container that can ssh to <static_ip> and connect to the device 192.168.1.150 but cannot connect to anything else whatsoever (specifically no other containers on the host, nothing else on the 192.168.1.0 network, and perhaps even nothing else on the Internet apart from the VPS).

Note that the host runs other containers with various services on them, and those must not be interfered with.

After some research I found that I probably should create a custom bridge network like this:

docker network create --driver bridge \
-o "com.docker.network.bridge.enable_icc"="false" \
my-restricted-network

and then run the container on that network:

docker run --name my-restricted-container \
--network my-restricted-network \
-d image_name /entrypoint.sh

What do I need to do then? I guess add some iptables rules on the host which will control my-restricted-network only. How exactly?

Improve this question
5
  • Here's the iptables rule you would require: iptables -I INPUT \! --src IPHERE -m tcp -p tcp --dport porthere -j DROP. The rule is rather simple - if the source is not the IP specified and the correct port drop it. Commented May 6, 2021 at 19:20
  • @SirMuffington Thanks but 1) why does IP go to src? It's the allowed destination IP addresses that need to be narrowed down to specific ones; 2) Ports need not be restricted. Commented May 6, 2021 at 21:47
  • Oh sorry, I misread your question. You can remove the unnecessary flag and you can switch to destination. Commented May 7, 2021 at 18:28
  • @SirMuffington how do I specify that the rule applies to docker container(s) sitting in my-restricted-network only? I don't want the restriction to apply to everything on the host. Commented May 8, 2021 at 1:06
  • Glad to have guided you in the correct direction :-) Commented May 8, 2021 at 17:06

1 Answer 1

Reset to default
5

Okay, after half-an-hour of RTFM I found the solution.

All on the docker host:

  1. Find interface ID of my-restricted-network:
docker network ls | grep my-restricted-network
38d3c24a48ad   my-restricted-network   bridge    local
  1. Insert the following rules:
iptables -I DOCKER-USER -i br-38d3c24a48ad -j DROP
iptables -I DOCKER-USER -i br-38d3c24a48ad -d 192.168.1.150 -j ACCEPT
iptables -I DOCKER-USER -i br-38d3c24a48ad -d <static_ip> -j ACCEPT
Improve this answer
2
  • 3
    If you prefer a memorable interface name (instead of e.g. br-38d3c24a48ad), you can create a network via docker network create --opt com.docker.network.bridge.name=abcde restricted_network and use -i abcde in your iptables/nft rules Commented Jul 17, 2021 at 5:30
  • So I suppose this requires access to a consistent host and/or launcher? i.e. If you are hosting a docker container on a variety of rented machines, you would have to see if any host options are available to you through the cloud provider. Commented Aug 10, 2023 at 14:38

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.