On Linux, Docker manipulates iptables rules to provide network isolation, by default, all external source IPs are allowed to connect to the Docker daemon :/
To allow only a specific IP or network to access the containers insert the rules below in iptables file /etc/sysconfig/iptables
In this case we will block all connections on port 80 and allow only the Office IP.
-N DOCKER-USER
-I DOCKER-USER -p tcp --dport 80 -j DROP
-I DOCKER-USER -p tcp --dport 80 -s 185.2.46.131 -m comment --comment "My Office" -j ACCEPT
After add the rules restart iptables and Docker, after it check the access.
What we are doing here
-N DOCKER-USER — The first rule create the chain used by Docker
-I DOCKER-USER -p tcp --dport 80 -j DROP — All connections in port 80 are blocked
-I DOCKER-USER -p tcp --dport 80 -s 185.2.46.131 -m comment --comment "My Office" -j ACCEPT — Allow Office IP
Use iptables -nL DOCKER-USER to check the rules:
[root@server ~]# iptables -nL DOCKER-USER
Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT tcp -- 185.2.46.131 0.0.0.0/0 tcp dpt:80 /* My Office */
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@server ~]#
Now all external connections on port 80 are blocked
Top comments (0)