Docker Community Forums

Share and learn in the Docker community.

Blocking traffic to one of the service containers

swarm
docker

(Warrior7089) #1

There are 3 distinct vms where RabbitMQ service is deployed in global mode.
My goal is to block traffic to one of the RabbitMQ service containers.
Tried using iptables to Reproduce RabbitMQ network partition scenario

by adding iptables chain

iptables -A DOCKER-INGRESS -d 10.255.0.33 -p tcp --dport amqp -m state --state ESTABLISHED,RELATED -j DROP

on 2 docker nodes where RabbitMQ service task containers run.
10.255.0.33 is ip of the container from swarm overlay network taken from docker service inspect output.
Though, traffic still passes through and network partition is not reproduced.
How to block traffic to service container correctly?


#2

I am trying to perform the same action to simulate a network partition.
I am using 3 docker containers each with its own RabbitMQ instance running.
Have you managed to find a way to block traffic to one of them in order to simulate network partition ?


(Warrior7089) #3

Hi, yes.
The idea is to use iptables inside one of them to block in&out traffic to 2 other container virtual ips.
I’ll post exact instructions on Sunday if you still need it.


#4

That would actually be really useful.
Also, how did you mange to give your docker container holding the RabbitMQ node the IP 10.255.0.33 ?


(Warrior7089) #5

Suppose you want to block traffic from/to container identified by container_id
Steps 2-3 should run inside the container.

  1. Enter the container:

docker exec -it --privileged --env http_proxy=proxy_ip container_id bash*

–env http_proxy=proxy_ip

is not needed if you can connect to web directly and not behind some (corporate) proxy

  1. This step assumes that the underlying image OS is Debian based. If it’s RED-HAT based, use the yum package installer equivalent commands. If it’s some other OS family, use the appropriate package installer commands.

Install iptables

apt-get update && apt-get install -y iptables

  1. Block traffic to/from container whose virtual ip is 10.0.0.183
  • iptables -A OUTPUT -d 10.0.0.183 -j DROP
  • iptables -A INPUT -d 10.0.0.183 -j DROP

#6

Thank you so much for your help!