Limit exposed ports when using ipVLAN

I have an ipvlan and bridge network attached to my container. I only want the ports to be exposed to the bridge network ip.

I tried

ports:
  - 192.168.10.12:5000:5000

And this

ports:
  - 192.168.10.12::5000

However the container is still accessible on the ipvlan at port 5000.

I also tried without the ports option and still it’s accessible.

The ipvlan subnet is 192.168.2.0/24 and the bridge network is 192.168.10.0/24

I created the ipvlan with and I tried attaching --internal to the command and that didn’t make a difference I was still able to go on to the 192.168.2.0/24 subnet and hit the container at port 5000

    networks:
      traefik-network:
        ipv4_address: 192.168.10.12
      test-network:
        ipv4_address: 192.168.2.35
docker network create --driver ipvlan --subnet 192.168.2.0/24 --gateway 192.168.2.1 --attachable --opt mode=l2 --opt parent=enp89s0.2 test-network

Does anyone have any ideas?

I tried using iptables and even that didn’t work.

I only want outgoing connections from the container to the ipvlan I don’t want any ports exposed to the ipvlan that would enable the ipvlan to hit the container at all (incoming connections).

Published ports only apply to bridge networks (and on swarm overlay networks).

If a container is attached to an ipvlan, macvlan or the host network it will be reachable by the respective container ip. If a service binds all interfaces inside a container, that port will be accessible over a ipvlan, macvlan or host ip. Since you already use fixed container ips, why don’t you just bind the service to a specific ip, instead of trying to prevent it from being reachable on the ipvlan ip?

How would I do that?

Would that allow the service to use the IPvlan? I would want it to be used for outgoing traffic but not be reachable on the ipvlan ip.

I guess I would need to do this inside the docker file?

The service in this case is frigate GitHub - blakeblackshear/frigate: NVR with realtime local object detection for IP cameras

Depends on the service/application. You would need to figure this out on your own for each(!) service/application individually.

I am not sure. I don’t use ipvlan, or macvlan I can’t tell you what the default gateway for a container would be. Never looked at it to be honest, as I neither use ipvlan, nor macvlan.

It is unlikely that images provide an environment variable to set this, as images are usually designed to bind the port to 0.0.0.0 (=all ips). Depending where the main process is started, it could be in the Dockerfile, the entrypoint script or a configuration file of the service/application.

Thank you, figured out what I needed to change at the application level to get it to bind to the intended ip address and now it’s not listening on the ipvlan ip.