0

I'm trying to make a port (that is exposed by docker-compose) on public IP available only for some of my other IP addresses. I still need other ports to accept connections from any IPs.

I've tried using ufw to achieve this but apparently docker itself makes some changes to iptables that I won't be able to do this the normal way.

Saeid Raei
  • 13
  • 4
  • Are you sure the port isn't being blocked somewhere else? Such as a firewall, or AWS Security Group (or equivalent in a different compute provider) ? – emmdee Feb 12 '20 at 18:34
  • @emmdee no i can open the port publicly with no firewall rules. – Saeid Raei Feb 13 '20 at 04:22

2 Answers2

0

Not sure how well this translates to UFW, but the iptables rules to perform these steps involve something like:

iptables -I DOCKER-USER -i eth0 -s 10.0.0.0/24 -p tcp \
  -m conntrack --ctorigdstport 8080 -j ACCEPT
iptables -I DOCKER-USER -i eth0 ! -s 10.0.0.0/24 -p tcp \
  -m conntrack --ctorigdstport 8080 -j DROP

Here are the details on the parts of these commands:

  • The table needs to be DOCKER-USER which docker will provide, run all requests through, and will not modify this table the way it does other tables.
  • You want to insert into DOCKER-USER rather than append because the default rule at the end of this table is to accept everything. Appending a rule after that would be ignored.
  • The interface, eth0, is the external network interface. You often don't want to block requests internally, with either loopback or between containers.
  • The source IP CIDR specifies what address range you wanted to allow, in this case 10.0.0.0/24, or the class C network 10.0.0.*. Everything else to the target port is blocked by the second rule.
  • The conntrack and ctorigdstport is needed to specify the original destination port, aka published port, rather than the container port. After the mangle rules have modified the packets to communicate to the container, the port seen by iptables would be the container port, and multiple containers could be listening on the same port internally, and publishing to different ports on the host.
BMitch
  • 5,966
  • 1
  • 25
  • 32
0

One option might be to utilize a reverse proxy (nginx\traefik\haproxy container?) to the application that does the filtering for you.

duct_tape_coder
  • 826
  • 4
  • 13
  • I'm already using traefik. at first I thought I can handle this using it's middlewares but then I found out that middlewares are not available for tcp reverse proxies. I'm not sure if it's possible to use nginx as an tcp reverse proxy for mysql and I don't know if haproxy supports tcp or ip whitelist. – Saeid Raei Feb 13 '20 at 11:13
  • `nginx` seems to be able to proxy TCP, but (possibly) only with a plus license. `haproxy` I _know_ supports tcp proxying. – sastorsl Apr 21 '22 at 14:44