Limit exposed ports when using ipVLAN

dan273 · January 13, 2024, 2:15pm

I have an ipvlan and bridge network attached to my container. I only want the ports to be exposed to the bridge network ip.

I tried

ports:
  - 192.168.10.12:5000:5000

And this

ports:
  - 192.168.10.12::5000

However the container is still accessible on the ipvlan at port 5000.

I also tried without the ports option and still it’s accessible.

The ipvlan subnet is 192.168.2.0/24 and the bridge network is 192.168.10.0/24

I created the ipvlan with and I tried attaching --internal to the command and that didn’t make a difference I was still able to go on to the 192.168.2.0/24 subnet and hit the container at port 5000

    networks:
      traefik-network:
        ipv4_address: 192.168.10.12
      test-network:
        ipv4_address: 192.168.2.35

docker network create --driver ipvlan --subnet 192.168.2.0/24 --gateway 192.168.2.1 --attachable --opt mode=l2 --opt parent=enp89s0.2 test-network

Does anyone have any ideas?

I tried using iptables and even that didn’t work.

I only want outgoing connections from the container to the ipvlan I don’t want any ports exposed to the ipvlan that would enable the ipvlan to hit the container at all (incoming connections).

meyay · January 13, 2024, 8:20pm

Published ports only apply to bridge networks (and on swarm overlay networks).

If a container is attached to an ipvlan, macvlan or the host network it will be reachable by the respective container ip. If a service binds all interfaces inside a container, that port will be accessible over a ipvlan, macvlan or host ip. Since you already use fixed container ips, why don’t you just bind the service to a specific ip, instead of trying to prevent it from being reachable on the ipvlan ip?

dan273 · January 13, 2024, 8:36pm

How would I do that?

Would that allow the service to use the IPvlan? I would want it to be used for outgoing traffic but not be reachable on the ipvlan ip.

I guess I would need to do this inside the docker file?

The service in this case is frigate GitHub - blakeblackshear/frigate: NVR with realtime local object detection for IP cameras

meyay · January 13, 2024, 9:51pm

Depends on the service/application. You would need to figure this out on your own for each(!) service/application individually.

I am not sure. I don’t use ipvlan, or macvlan I can’t tell you what the default gateway for a container would be. Never looked at it to be honest, as I neither use ipvlan, nor macvlan.

It is unlikely that images provide an environment variable to set this, as images are usually designed to bind the port to 0.0.0.0 (=all ips). Depending where the main process is started, it could be in the Dockerfile, the entrypoint script or a configuration file of the service/application.

dan273 · January 14, 2024, 1:15am

Thank you, figured out what I needed to change at the application level to get it to bind to the intended ip address and now it’s not listening on the ipvlan ip.