Err... Brain Dump
Docker Iptables Filtering
Mon 10 June 2019So there I was setting up a docker repository and discovered that if you expose a docker container via the -p option then it ends up being publically available... Oh Noes!
You can't restrict access via the INPUT chain, within the filter table; as the traffic is forwarded to the correct container which is listening on a looback address eg 172.17.0.2. So looking at the rules for the chain you see:
$ sudo iptables -nL FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
$ sudo iptables -nL DOCKER-USER
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
So what does this DOCKER-USER chain get used for, well according to the docs it's where we should put access-control for docker.
So I need to restrict access to a range of IPs that are local to my infrastructure which can be acheived with:
$ sudo iptables -I DOCKER-USER 1 -p tcp -m iprange ! --src-range 1.1.1.1-1.1.1.100 -m tcp --dport 5000 -j DROP