Restricting External Container Access with Iptables

Docker Engine General
2

Hi,

Here’s my 1st iteration on a solution for this.

So far it seems to work just as required, but feedback would be appreciated.

Goal: Restrict access by IP to docker container listening on the host port 5000 (Docker Private Resgistry).

Senario: Currently, by default, all traffic is allowed access port 5000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5000

Solution:

a) Create a PRE_DOCKER table with a default rule of REJECT, insert this as the 1st table on the FORWARD chain.

sudo iptables -N PRE_DOCKER
sudo iptables -I FORWARD -o docker0 -j PRE_DOCKER
sudo iptables -A PRE_DOCKER -i docker0 ! -o docker0 -j ACCEPT
sudo iptables -A PRE_DOCKER -i docker0 -o docker0 -j ACCEPT
sudo iptables -A PRE_DOCKER -j REJECT

b) Insert rules before the default REJECT to allow IP addresses.

One IP from the USA and one IP from Asia:

sudo iptables -I PRE_DOCKER -s 192.184.41.144 -j ACCEPT
sudo iptables -I PRE_DOCKER -s 120.29.76.14 -j ACCEPT

c) End result:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 PRE_DOCKER  all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5000

Chain PRE_DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       120.29.76.14        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       192.184.41.144       0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

It’s a Sunday afternoon here so I’m just kind of tinkering, but my tests so far work OK.

Seems reasonable to you too?

I could be totally wrong, iptables can be tricky and I’m no guru with it.

Cheers.