Filtering outgoing container traffic

Hello Docker Community,

I am facing a networking issue with my application to run JupyterHub using Docker containers.

To give you a bit of context. I created a virtual machine, on it: port 2022 (ssh) served by my server, port 443 (https) served by nginx proxied to port 8080 served by jupyterhub. A docker container is generated for each user to access JupyterHub.

The problem: On JupyterHub, users can apparently access my server and use all features and services there.

Desired solution: I want to block all traffic from the containers ( -s ) to every other network. How can I filter traffic that originates from e.g. the docker bridge/task containers?

I am still new to dockers and a novice in networking. I would highly appreciate your opinions and advice to fix this issue.

Here is my docker-compose file for reference:

version: "3"

services:
  jupyterhub:
    restart: always
    build: ./jupyterhub
    hostname: jupyterhub
    ports:
      - "8080:8000"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      DOCKER_NOTEBOOK_IMAGE: "exam-scipy-notebook"
      DOCKER_NETWORK_NAME: "jupyterhub-network"
      DOCKER_JUPYTER_IMAGE: "jupyterhub/singleuser:latest"
      HUB_IP: "jupyterhub"      
      
      LTI_CLIENT_KEY: "${LTI_CLIENT_KEY}"
      LTI_SHARED_SECRET: "${LTI_SHARED_SECRET}"
      

networks:
  default:
    external:
      name: "jupyterhub-network"

Thank you :slight_smile:

Can you elaborate on what “access my server and use all features and services” means? By default a container should not be able to access the filesystem or shell of the host.

If you want the portfilter controlled by the container runtime, you might consider to switch to kubernetes and use network polices. Docker itself doesn’t have a build-in mechanism for that.

If you just want it done and don’t care how, you could implement your own iptables rules that prevent network access. I am not an iptables guy, so can’t realy tell you how the rules should look like.

N.B.: at least for bridge networks, it is possible to prevent container to container and container to outside world communication, which pretty much isolates a container to itself, see: docker network create | Docker Documentation

@meyay Thank you for your reply!

Can you elaborate on what “access my server and use all features and services” means? By default, a container should not be able to access the filesystem or shell of the host.

The user can send spam emails from the container. which should not be allowed for any user.

If you just want it done and don’t care how, you could implement your own iptables rules that prevent network access. I am not an iptables guy, so can’t realy tell you how the rules should look like.

I suspected that the ideal solution would be to use iptables, but I am also not very knowledgeable about iptables.

These are the current iptables on the VM:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.160.2        tcp dpt:8000

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

I will likely need to modify the FORWARD chain. To block the traffic forwarded from a container to the internet. But I am not sure which command to use.

I tried this: iptables -P FORWARD DROP but nothing changed.

Any help with the right commands would be very appreciated!