Allow single ip to connect to docker containers

When I have multiple dedicated servers running spigot servers, and I want to only allow the main server with bungeecord running to connect to those servers. Can I edit the DOCKER-USER chain to only allow the bungeecord server to connect? So one ip to connect to the docker containers.

All spigot servers are running in containers on server1 and server2. I wish to disable direct acces to those containers, only when they connect through bungeecord wich is a proxy.

Hopefully someone understands the issue, or knows what I want to do.

I think these three commands will do it. I tried the same basic thing, but ended up going with OpenVSwitch for other unrelated reasons.

Correct my if I’m wrong but that rule will also be for outgoing traffic. The container do need to connect to an outside MySQL database. So then this doesn’t work?

You can specify. It would be something like this.

# drop all attempts to connect to spigot servers from all IPs
iptables -I DOCKER-USER -i ext_if ! -d SPIGOT_SERVER -j DROP

# accept connections to spigot servers from bungeeecord server IP

Thanks for your reply, I got it working with this command. Because when I only allowed the bungeecord_ip the container itself couldn’t use the internet.
iptables -I DOCKER-USER -i eth0 -p tcp --dport 25565 ! -s BUNGEECORD_IP -j DROP.

But I think your last iptables command is the one I’m looking for, thank you so much for your help.

1 Like