Docker Community Forums

Share and learn in the Docker community.

Internal network between containers without external network access

docker

(User10e32) #1

How to create internal network between containers that does not connect to external web?

What I have done (without using compose):
I have read “Docker container networking” documentation.
Created “User-defined networks” “bridge network”.
Then I created two containers that are using this network.
I pinged both containers (25% lost?) and then I pinged google.com and the result was the same as before.

Why did I manage to ping google.com in “User-defined network”? How can I create network, where containers can communicate with each other, but not external web (google.com?). How can I do it with compose and without?

What I am trying to do is: I want to allow communication to external web (google.com) only through another container. So I need to add both containers to internal network and one of them to network that ables to communicate to external world.
Additional question: If someone has created such system before then, is it possible to access container that does not have external access localhost website?


(Sam) #2

I think this link describes info you are asking about… ipv4.forwarding=true

Docker’s forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, to restrict external access such that only source IP 8.8.8.8 can access the containers, the following rule could be added:

$ iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP

(User10e32) #3

Thanks for your reply, but I only want to deny access to the outside world in containers that are connected to specific network.

Example of general idea of compose file, where network1 is internal isolated network and network2 is access to external web :

version: "3"
services:

  proxy:
    build: ./proxy
    networks:
      - network2
      - network1

  app:
    build: ./app
    networks:
      - network1

networks:
  network1:
    driver: custom-driver-1
  network2:
    driver: custom-driver-2

(Sam) #4

iptables can also deny access given a network address (range)

this is executed on the docker host…


(User10e32) #5

I understood that it is executed on the docker host.
But the problem is that my other containers would stop working when I would do something like that.
How can I update Wordpress plugins that are located in other container that id using default bridge drive … I need that only for containers that are located in specific network can not access outside world.

End result what I tray to achieve: proxy container contains mitmproxy installation and app contains application that I want to test.


(Sam) #6

All containers would have to be controlled to specific gateways if you want to have that work and then you’d use iptables on the host to set the routing. You can’t just let them default


(User10e32) #7

Please specify, what do you mean by “You can’t just let them default”?
(I want to take my system from virtualbox to docker)


(Sam) #8

If you want control of where there traffic goes then you have to control the Gateway that they connect to and you have to control the forwarding on the Gateway that they connect to


(Dann Church) #9

To create a network that doesn’t allow access to communicating with external networks, use the ‘internal: true’ configuration on an Overlay network. Your config would thus be:

version: "3"
services:

  proxy:
    build: ./proxy
    networks:
      - network2
      - network1

  app:
    build: ./app
    networks:
      - network1

networks:
  network1:
    driver: overlay
    internal: true
  network2:
    driver: custom-driver-2

Containers that are only on network1 won’t be able to communicate with the “outside” world. In your case, the app service won’t be able to access google.com but proxy will (since it’s also on a non-internal network).