Docker Community Forums

Share and learn in the Docker community.

Trying to block Traffic from outside to container with iptables

Hi,

i am trying to block traffic from one of my network interfaces on the host machine to my nginx container with iptables.

So in the internet i found some examples how to do this, but none of them are working.

1 )

iptables -I FORWARD -i eth0 -d 172.17.0.2 -p tcp --dport 80 -j DROP
This one should drop all http connections from my network interface to the docker container, however after applying this rule, i can still connect to the nginx webserver from outside.

2 ) The Second method i found in the internet is adding a rule in the nat PREROUTING chain
iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j RETURN
That should prevent all traffic from routing to a docker container, right?
However the container is still reachable from outside??


After that i tried to delete the rules that docker created for the DNAT:
iptables -t nat -D DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80
so as of my understanding the docker container now should not be reachable from anywhere anymore, right? the Host should not now how to route the traffics.

However it is still reachable, how can that be?

maybe someone knows my error
i would appriciate any help
Thanks

I am not sure, if you are not trying to solve a non issue…

Even tough containers are generaly routable from the docker host itself, If you rely to access a container by its ip, it is high likely that your are trying to do something that is not supposed to be done like that. Unless you mess arround with routing, other hosts are only able to access published ports of a container (which in case of plain docker or docker-compose deployments can be bound to specific host ips).

Thanks for your reply,

maybe i should tell you the steps to reproduce my issue here. First of all i am not trying to access a container by its ip.

So what i want to do is create a nginx container and publish the port to the host
[#] docker run nginx -p 8080:80

so now i can access the container with the host ip 192.168.178.33 via eth0 or with the host ip 192.168.55.2 via eth1.

Now i want that the container is only accessible on the eth1 interface.

So i thought that this could be made with iptables. I tried the example from the Documentation https://docs.docker.com/network/iptables/
-> Restrict connections to the Docker host

and also all examples i found online (see my first post) but None of them worked

So how can it be achieved?
Thanks a lot

There you go: docker run -p 192.168.55.2:8080:80 nginx

The syntax to block an outgoing port using iptables is as follows. This applies to all the interfaces globally. To block the port only on a specific interface use the -i option. To block port only for given IP or Subnet use the -s option to specify the subnet or IP addess.

hi,

after i tried a lot i decided to just restart the machine my docker host is running at and try again with the examples in de Documentation. seems like something was not right before the reboot, because now everything you sugested and the example in the doc is working right of the box.

so Thank you very much for all your help and suggestions.