Force all traffic for a speicifc container to go through a specific interface

Docker Engine Compose
,
1

I have a machine with 2 network interfaces. 1 of the network interfaces (eno1) is more restricted. How can I restrict a container such that it must only use this eno1 interface for all incoming and outgoing traffic? I’m running Docker Compose version v2.29.2 rootless installation on Debian 12 Linux 6.1.0.

I’ve tried the following solutions, where eno1-IP is the IP address of eno1

-p eno1-IP:host_port:container_port

This only restricts incoming traffic. Outgoing traffic uses the host’s default network interface.

networks:
  default:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.host_binding_ipv4: "eno1-IP"

This only restricts incoming traffic. Outgoing traffic uses the host’s default network interface.

network_mode: "host:eno1"

This results in the error “Error response from daemon: network host:eno1 not found”

2

For outgoing traffic you can use the com.docker.network.host_ipv4 driver options.

networks:
  net_192_168_218_9:
    driver_opts:
      com.docker.network.host_ipv4: 192.168.218.9
2 Likes
3

While this solution worked for my use case, I wanted to provide additional details for others. This didn’t work exactly as I expected. Let’s say my host IP address on the primary NIC, eno0, is 192.168.1.10 and the IP address on the restricted LAN NIC eno1 is 192.168.50.10. If I specify com.docker.network.host_ipv4: 192.168.50.10 the container doesn’t use eno1. Instead, it routes an IP address 192.168.50.10 over the primary NIC eno0. This works fine for blocking all external traffic. However, if we’re simply trying to block all external traffic, we don’t need a second NIC and can use com.docker.network.host_ipv4 to specify an arbitrary subnet like 192.168.255.255 and then have the firewall block it (e.g., using a default state violation rule). However, I can’t get com.docker.network.host_ipv4 to use a specific NIC, eno1, to access local resources within the .50.X network.

4

Hmm… It could be something I haven’t discovered yet. Are you saying the traffic first goes to the eno0 interface and it is routed to eno1 only after that?

5

I’m not sure exactly what is going on. My firewall (opnsense) was tagging the traffic as the eno0 interface. I’m not sure what what is wrong since on the host machine curl --interface eno1 1.1.1.1 works as expected. For this application, I decided not to use any other local services within the eno1 and instead using the primary NIC and block all external traffic on these containers by defining a local_network using the command docker network create -d bridge -o com.docker.network.bridge.enable.icc=false -o com.docker.network.bridge.enable_ip_masquerade=false local_network. My issue is resolved; this info is in case others find it helpful.