I’ve got a CentOS server running Docker and I’m trying to secure it using iptables. And I can’t work out how to let containers access the internet, without their ports being accessible from outside.
I’ve stopped Docker messing with my iptables using the ‘–iptables=false’ command and am now struggling to configure iptables manually.
I want to set up the firewall so that:
- Inputs are dropped unless I specifically open them
- Containers can communicate with each other via the localhost connection
- Containers can make connections to the internet to download code etc
I have the first two, but whatever I try to enable the third invalidates the first!
I have two test containers. An httpd container forwarding its web output port 3333 - and another container running Debian.
IPTables is configured with
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
So from outside I cannot access myserver:3333.
But I can run from the host: curl localhost:3333 and have access.
I then added:
iptables -A INPUT -i docker0 -j ACCEPT
And now I can run in my debian test container curl 172.17.0.1:3333 and that works fine too.
But if I’m in the test container and try: curl httpbin.org/ip I get no response.
I was reading on https://fralef.me/docker-and-iptables.html and tried the suggested:
iptables-A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables-A FORWARD -i eth0 -o docker0 -j ACCEPT
With these I can now curl out from the test container, but this opens up 3333 to the world too!
How do I configure iptables to allow the container to access out, but prevent access in?