Hi, I’m tring to manage the network communication between containers in the same host. I would like if its possible to deny the ping from container1 which have ip=172.17.0.5(using exec command) to container2(with ip=172.17.0.2). I’ve tried using iptables, but anything append.
This is the rule that I have inserted in iptables:
sudo iptables -A DOCKER -t mangle -p icmp -d 172.17.0.5 -s 172.17.0.2 -j DROP
I’ have also tried to deny packet transfer from ip gateway 172.17.0.1 with this rule:
sudo iptables -A INPUT -t mangle -p icmp -d 172.17.0.1 -s 172.17.0.2 -j DROP
and this work fine. But when I try to deny packet transfer between containers, this does not work. the container1 link the container2 for communication, so when I start these 2 containers, the iptable being populated to allow transfer between them, so I would avoid this by setting --iptables=false and --icc=false, and than set by myself the rules.
but when I stop docker and try this:
sudo dockerd -H --icc=false
sudo dockerd -H --iptables=false
I get this errors:
WARN[2018-02-19T02:48:18.845829592+01:00] [!] DON’T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON’T KNOW WHAT YOU’RE DOING [!]
listen tcp: lookup --icc=false: no such host
WARN[2018-02-19T02:48:18.845829592+01:00] [!] DON’T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON’T KNOW WHAT YOU’RE DOING [!]
listen tcp: lookup --iptables=false: no such host
Can I do something to avoid ICMP packet transfer between linked containers in the same host by using iptables?