i am trying to block traffic from one of my network interfaces on the host machine to my nginx container with iptables.
So in the internet i found some examples how to do this, but none of them are working.
iptables -I FORWARD -i eth0 -d 172.17.0.2 -p tcp --dport 80 -j DROP
This one should drop all http connections from my network interface to the docker container, however after applying this rule, i can still connect to the nginx webserver from outside.
2 ) The Second method i found in the internet is adding a rule in the nat PREROUTING chain
iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j RETURN
That should prevent all traffic from routing to a docker container, right?
However the container is still reachable from outside??
After that i tried to delete the rules that docker created for the DNAT:
iptables -t nat -D DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80
so as of my understanding the docker container now should not be reachable from anywhere anymore, right? the Host should not now how to route the traffics.
However it is still reachable, how can that be?
maybe someone knows my error
i would appriciate any help