2

I created 2 containers on docker. These containers of mine are in the same network. I want to restrict these containers from accessing my local network.

For example; container 1 can access my entire network. but container 2 can't reach anywhere but only I can access it. I can't do this from my central firewall because the source address of all containers is my docker host's IP address.

I tried doing this with iptables. I added the following rule for container 1:

iptables -I DOCKER-USER -s 172.17.0.2 -j ACCEPT

and I added the following rule for container 2:

iptables -I DOCKER-USER -s 172.17.0.4 -j DROP

When I do this, container 1 can access my network, container 2 cannot access my network. This is what I want. But as such, container 2 cannot respond to my TCP requests, so I cannot reach it.

Is there a solution to this?

Improve this question

1 Answer 1

Reset to default
2

It sounds like what you are looking for is an internal network. An internal network explicitly restricts external access to the network.

How you put this into play ultimately depends on how you are deploying your containers. If you are using docker-compose then you would need to modify your docker-compose.yml file to look something like this:

version: '2'
services:
  app1:
    image: mysql:5.7
    networks:
      - network1 
        
  app2:
    image: someImage
    networks:
      - network1
      - network2
networks:
  network1:
    internal: true
  network2:

If you are going through the command line then you would create a network like this:

docker network create -d overlay --internal myprivatenetwork

and then attach it to your container in this manner:

docker network connect myprivatenetwork app1

If you are looking for something to work across swarms then an overlay network may possibly be better suited for your needs. Per the documentation:

The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the host-specific networks, allowing containers connected to it (including swarm service containers) to communicate securely when encryption is enabled.

An overlay network is created in the following manner

docker network create -d overlay --attachable my-attachable-overlay

And can be attached in the same was as mentioned above.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hello, thank you for your answer. But my problem is not solved. Or I did it wrong. As you said, I created 2 networks. 1 of them is internal network. and I included container 2 in these 2 networks. Container 2 is accessing my entire local network while iptables is at default. Here, when I say local network, I mean my physical network external to the docker.
The container and you don't want to be able to access from your entire network should ONLY ben in the internal network. The other container should be in both networks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.