How to prevent docker containers from accessing my local network

tr4cks
April 28, 2022
290 views
0 votes
2 Answers

I would like to be able to prevent docker containers connected to a bridge network from accessing my local network in order to add extra security since they will be accessible from outside (in case a container is compromised). I saw that I should probably use ebtables or the physdev module of iptables but I can’t create a rule that works. Thanks to the one who can help me.

Answers

Chosen as BEST ANSWER
- tr4cks
- May 2, 2022 at 2:14 pm
- 0 votes
0
After some research and if anyone is interested, it is possible to use ebtables.
```
# Authorize DNS queries
ebtables -A INPUT -p IPV4 --ip-protocol TCP --ip-destination-port 53 --ip-destination 192.168.1.1 --ip-source 172.18.0.0/16 -j ACCEPT
ebtables -A INPUT -p IPV4 --ip-protocol UDP --ip-destination-port 53 --ip-destination 192.168.1.1 --ip-source 172.18.0.0/16 -j ACCEPT
# Drop all others packets
ebtables -A INPUT -p IPV4 --ip-destination 192.168.1.0/24 --ip-source 172.18.0.0/16 -j DROP
```
Do not forget to replace the 172.18.0.0/16 subnet with the one on which your containers are connected.

(Edit)

- MichaelPilosov
- October 8, 2022 at 7:56 am
- 0 votes
0
I was stumbling through this myself and found one solution was to insert (-I) a new rule into the DOCKER-USER chain.

Please see this answer: https://stackoverflow.com/a/73994723/20189349

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.