I am facing a networking issue with my application to run JupyterHub using Docker containers.
To give you a bit of context. I created a virtual machine, on it: port 2022 (ssh) served by my server, port 443 (https) served by nginx proxied to port 8080 served by jupyterhub. A docker container is generated for each user to access JupyterHub.
The problem: On JupyterHub, users can apparently access my server and use all features and services there.
Desired solution: I want to block all traffic from the containers ( -s ) to every other network. How can I filter traffic that originates from e.g. the docker bridge/task containers?
I am still new to dockers and a novice in networking. I would highly appreciate your opinions and advice to fix this issue.
Can you elaborate on what “access my server and use all features and services” means? By default a container should not be able to access the filesystem or shell of the host.
If you want the portfilter controlled by the container runtime, you might consider to switch to kubernetes and use network polices. Docker itself doesn’t have a build-in mechanism for that.
If you just want it done and don’t care how, you could implement your own iptables rules that prevent network access. I am not an iptables guy, so can’t realy tell you how the rules should look like.
N.B.: at least for bridge networks, it is possible to prevent container to container and container to outside world communication, which pretty much isolates a container to itself, see: docker network create | Docker Documentation
Can you elaborate on what “access my server and use all features and services” means? By default, a container should not be able to access the filesystem or shell of the host.
The user can send spam emails from the container. which should not be allowed for any user.
If you just want it done and don’t care how, you could implement your own iptables rules that prevent network access. I am not an iptables guy, so can’t realy tell you how the rules should look like.
I suspected that the ideal solution would be to use iptables, but I am also not very knowledgeable about iptables.
These are the current iptables on the VM:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.160.2 tcp dpt:8000
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
I will likely need to modify the FORWARD chain. To block the traffic forwarded from a container to the internet. But I am not sure which command to use.
I tried this: iptables -P FORWARD DROP but nothing changed.
Any help with the right commands would be very appreciated!
