Block Docker container ports with iptables/firewalld

Question

I have an docker-compose deployment with a container, e.g.:

version: "3"
services:
  web:
    image: nginx
    ports:
     - "8080:80"

Docker version is 20.10.9, OS is CentOS 7.

I need to block access to 8080 port from external IP addresses except specified.

But iptables -A INPUT -p tcp -m tcp --dport 8080 --src ! <IP whitelist> -j DROP doesn't work for docker containers.

In a system with firewalld settings for public zone aren't applied for Docker containers.

DOCKER-USER chain doesn't work as needed because I should use --dport 80 (internal port in docker container) not dport 8080. But I need to use external port because there can be many containers with internal port 80, but external port is unique.

I used

score 0 · Answer 1 · edited Apr 15 '22 at 17:21

0

When I want to block container ports I change the DOCKER-USER chain.

As far as I know: Traffic to docker never touches the INPUT chain in iptables.

So I would try:

iptables -A DOCKER-USER -i <INCOMING-INTERFACE> -p tcp -m tcp --dport 8080 --src ! <IP whitelist>  -j DROP

More infos: https://docs.docker.com/network/iptables/

edited Apr 15 '22 at 17:21

marc_s

732,580
175
1,330
1,459

answered Mar 04 '22 at 12:45

ruppsn

101
2
7

Block Docker container ports with iptables/firewalld

1 Answers1