Docker Community Forums

Share and learn in the Docker community.

Docker restrict container network access

I created 2 containers on docker. These containers of mine are in the same network. I want to restrict these containers from accessing my local network. For example; container 1 can access my entire network. but container 2 can’t reach anywhere but only I can access it. I can’t do this from my central firewall because the source address of all containers is my docker host’s IP address. I tried doing this with iptables. I added the following rule for container 1;

iptables -I DOCKER-USER -s -j ACCEPT

and I added the following rule for container 2.

iptables -I DOCKER-USER -s -j DROP

When I do this, container 1 can access my network, container 2 cannot access my network. This is what I want. But as such, container 2 cannot respond to my TCP requests, so I cannot reach it.

Is there a solution to this?

If you want to completely disable the networking stack on a container, you can use the --network none flag when starting the container.

Disable networking for a container
Create the container. …
Check the container’s network stack, by executing some common networking commands within the container. …
Stop the container.

Hello no I don’t want this.
I want to restrict some of my containers from being able to go to the addresses I want on my local network other than the docker, but not the ones I don’t want.