DEV Community

Cover image for Blocking external connections to Docker
Renan Pessoa
Renan Pessoa

Posted on • Updated on

Blocking external connections to Docker

On Linux, Docker manipulates iptables rules to provide network isolation, by default, all external source IPs are allowed to connect to the Docker daemon :/

To allow only a specific IP or network to access the containers insert the rules below in iptables file /etc/sysconfig/iptables

In this case we will block all connections on port 80 and allow only the Office IP.

-N DOCKER-USER
-I DOCKER-USER -p tcp --dport 80  -j DROP
-I DOCKER-USER -p tcp --dport 80 -s 185.2.46.131 -m comment --comment "My Office" -j ACCEPT
Enter fullscreen mode Exit fullscreen mode

After add the rules restart iptables and Docker, after it check the access.

What we are doing here

-N DOCKER-USER —  The first rule create the chain used by Docker
-I DOCKER-USER -p tcp --dport 80 -j DROP —  All connections in port 80 are blocked
-I DOCKER-USER -p tcp --dport 80 -s 185.2.46.131 -m comment --comment "My Office" -j ACCEPT —  Allow Office IP

Use iptables -nL DOCKER-USER to check the rules:

[root@server ~]# iptables -nL DOCKER-USER
Chain DOCKER-USER (1 references)
target     prot opt source               destination        
ACCEPT     tcp  --  185.2.46.131    0.0.0.0/0            tcp dpt:80 /* My Office */
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
RETURN     all  --  0.0.0.0/0            0.0.0.0/0          
[root@server ~]#
Enter fullscreen mode Exit fullscreen mode

Now all external connections on port 80 are blocked
Ok

Top comments (0)