My goal is to limit access to docker containers to just a few public IP addresses. Is there a simple, repeatable process to accomplish my goal? Understanding only the basics of iptables while using Docker's default options, I'm finding it very difficult.
I'd like to run a container, make it visible to the public Internet, but only allow connections from select hosts. I would expect to set a default INPUT policy of REJECT and then only allow connections from my hosts. But Docker's NAT rules and chains get in the way and my INPUT rules are ignored.
Can somebody provide an example of how to accomplish my goal given the following assumptions?
- Host public IP 184.108.40.206 on eth0
- Host private IP 192.168.1.10 on eth1
docker run -d -p 3306:3306 mysql
- Block all connection to host/container 3306 except from hosts 220.127.116.11 and 18.104.22.168
I'm happy to bind the container to only the local ip address but would need instructions on how to set up the iptables forwarding rules properly which survive docker process and host restarts.
Two things to bear in mind when working with docker's firewall rules:
- To avoid your rules being clobbered by docker, use the
- Docker does the port-mapping in the
PREROUTING chain of the
nat table. This happens before the
filter rules, so
--dport will see the internal IP and port of the container. To access the original destination, you can use
-m conntrack --ctorigdstport.
iptables -A DOCKER-USER -i eth0 -s 22.214.171.124 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j ACCEPT
iptables -A DOCKER-USER -i eth0 -s 126.96.36.199 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j DROP
--ctdir ORIGINAL, this would also match the reply packets coming back for a connection from the container to port 3306 on some other server, which is almost certainly not what you want! You don't strictly need this if like me your first rule is
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT, as that will deal with all the reply packets, but it would be safer to still use
--ctdir ORIGINAL anyway.
With Docker v.17.06 there is a new iptables chain called DOCKER-USER. This one is for your custom rules: https://docs.docker.com/network/iptables/
Unlike the chain DOCKER it is not reset on building/starting containers. So you could add these lines to your iptables config/script for provisioning the server even before installing docker and starting the containers:
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 3306 -j DROP
-A DOCKER-USER -j RETURN
Now the port for MySQL is blocked from external access (eth0) even thought docker opens the port for the world. (These rules assume, your external interface is eth0.)
Eventually, you will have to clean up iptables restart the docker service first, if you messed it too much trying to lock down the port as I did.
UPDATE: While this answer is still valid the answer by @SystemParadox using
DOCKER-USER in combination with
--ctorigdstport is better.
Here is a solution which persists well between restarts and allows you to affect the exposed port rather than the internal port.
iptables -t mangle -N DOCKER-mysql
iptables -t mangle -A DOCKER-mysql -s 188.8.131.52/32 -j RETURN
iptables -t mangle -A DOCKER-mysql -s 184.108.40.206/32 -j RETURN
iptables -t mangle -A DOCKER-mysql -j DROP
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 3306 -j DOCKER-mysql
I've built a Docker image that uses this method to automatically manage the iptables for you, using either environment variables or dynamically with etcd (or both):
UPDATE: While valid in 2015, this solution is no longer the right way to do it.
The answer seems to be in Docker's documentation at https://docs.docker.com/articles/networking/#the-world
Docker’s forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, to restrict external access such that only source IP 220.127.116.11 can access the containers, the following rule could be added:
iptables -I DOCKER -i ext_if ! -s 18.104.22.168 -j DROP
What I ended up doing was:
iptables -I DOCKER -i eth0 -s 22.214.171.124 -p tcp --dport 3306 -j ACCEPT
iptables -I DOCKER -i eth0 -s 126.96.36.199 -p tcp --dport 3306 -j ACCEPT
iptables -I DOCKER 3 -i eth0 -p tcp --dport 3306 -j DROP
I didn't touch the