We have been using Docker 1.10.3 for a while to run containers with no outbound access to the external Internet. We have configured iptables on the external host to manage this, and we run the docker containers with
This has worked just fine until now. However, we just upgraded our testing environment to 1.11.0 and now the containers appear to have full access to the Internet.
Our IPTables on the external host looks like this:
Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere localhost ACCEPT all -- anywhere anywhere state ESTABLISHED REJECT all -- anywhere anywhere owner GID match unregistered_users reject-with icmp-port-unreachable REJECT all -- anywhere anywhere owner GID match registered_users reject-with icmp-port-unreachable Chain DOCKER (1 references) target prot opt source destination Chain DOCKER-ISOLATION (1 references) target prot opt source destination RETURN all -- anywhere anywhere
We haven’t been able to find anything in the 1.11.0 release notes that mentions anything like this, and we’re not sure how the containers are getting through the IPTables restrictions.
Any advice much appreciated!