3

Some programs in my docker container are making unwanted requests to e.g. Google Analytics and other tracking software, sharing my information. I want to block all this traffic, while still being able to access the docker from outside.

I tried adding the --network=host, this worked correctly, only allowing localhost access from inside the container, but also blocked all external incoming connections.

Is there a way to limit the outgoing connections to the localhost only, while still allowing incoming external connections? I only want to enforce this on a specific docker container, not for my entire system.

Any feedback is appreciated.

Mark
  • 121
  • 1
  • 8

1 Answers1

7

I found a working solution for my problem in another thread:

docker network create --subnet 172.19.0.0/16 no-internet
sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -j REJECT --reject-with icmp-port-unreachable
sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -m state --state RELATED,ESTABLISHED -j RETURN

When starting a docker container add:

--network no-internet

After this, I cannot connect to the internet from inside the container. However, I can still access the container ports from the outside.

Mark
  • 121
  • 1
  • 8
  • Thanks! Beside that maybe someone would like to connect to docker host then just check what is your docker host address e.g. 172.17.0.1, check using `ip addr`. Use this instead 127.0.0.1 – Gelldur Mar 27 '23 at 14:44