'Block Docker container ports with iptables/firewalld
I have an docker-compose deployment with a container, e.g.:
version: "3"
services:
web:
image: nginx
ports:
- "8080:80"
Docker version is 20.10.9, OS is CentOS 7.
I need to block access to 8080 port from external IP addresses except specified.
But iptables -A INPUT -p tcp -m tcp --dport 8080 --src ! <IP whitelist> -j DROP doesn't work for docker containers.
In a system with firewalld settings for public zone aren't applied for Docker containers.
DOCKER-USER chain doesn't work as needed because I should use --dport 80 (internal port in docker container) not dport 8080. But I need to use external port because there can be many containers with internal port 80, but external port is unique.
I used
Solution 1:[1]
When I want to block container ports I change the DOCKER-USER chain.
As far as I know: Traffic to docker never touches the INPUT chain in iptables.
So I would try:
iptables -A DOCKER-USER -i <INCOMING-INTERFACE> -p tcp -m tcp --dport 8080 --src ! <IP whitelist> -j DROP
More infos: https://docs.docker.com/network/iptables/
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | marc_s |