Limit egress from swarm containers to port 80/443 or deny certain ports

markperri · January 25, 2021, 10:19pm

Is it possible to limit egress from swarm containers to only certain ports or to deny certain ports? I’d like to just allow containers to access 80 and 443. If I alter iptables to drop a certain port for OUTPUT on the swarm manager and worker the container is still able to access those ports.

markperri · January 26, 2021, 2:35am

I found the reference for DOCKER-USER in iptables and this works:

sudo /sbin/iptables -I DOCKER-USER -p tcp -m multiport --dport 80,443,53 -j ACCEPT
sudo /sbin/iptables -I DOCKER-USER 2 -p udp -m multiport --dport 80,443,53 -j ACCEPT
sudo /sbin/iptables -I DOCKER-USER 3 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo /sbin/iptables -I DOCKER-USER 4 -j DROP

Topic		Replies	Views
How should I run a secure swarm in production? Swarm	1	207	July 9, 2024
Control container egress (i.e. half of network policies) Feature Requests docker , swarm	0	1998	November 5, 2019
Setting up docker swarm and questions on customizing the default ports General	1	1615	May 2, 2018
Restricted user for working nodes in portainer does not work General swarm	0	529	April 19, 2020
SWARM : Some ports are exposed, some other not Swarm	21	1705	May 4, 2024

Limit egress from swarm containers to port 80/443 or deny certain ports

Related topics