'docker, container ports and iptables

I have inserted an iptables rule to block access to my containers from the internet (according to the official docker docs), but now my containers cannot access the internet either.

I run a container on a dedicated server like this:

docker run --name mycontainer --network network1 -d -p 10000:80 someImage

I can access that container from my home network...:

telnet servername.com 10000

... even though I have limited access using ufw:

ufw status
Status: active
To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
...

It makes no mention of port 10000, and I initially denied all incoming ports.

According to the docs at https://docs.docker.com/network/iptables/ when starting a container with -p, docker will automatically expose the port through the firewall by manipulating iptables, using rules which are evaluated before ufw rules.

Those docs then go on to suggest blocking incoming requests like this, in the section titled "Restrict connections to the Docker host":

iptables -I DOCKER-USER -i eno ! -s 192.168.1.1 -j DROP

I got the interface name by running route:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         static-ip-182-1 0.0.0.0         UG    0      0        0 eno
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-ef37f7b34afa
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-979cf8868fcd
182.133.43.627  0.0.0.0         255.255.255.192 U     0      0        0 eno

It works, I can no longer telnet onto port 10000. (surprisingly I didn't need to reload / restart anything).

Unfortunately, I can no longer access the internet from inside a container. The dedicated server can still ping google.com, but my container cannot:

docker exec mycontainer ping google.com

ping: unknown host

That was working before inserting the iptables rule, but doesn't work any more.

Question 1: what do I have to change in ufw / iptables so that my containers can again access the internet (outgoing), but so that I still cannot access my container from the internet (incoming)?

Question 2: what do I have to change in the iptables rule so that it survives a reboot, because I noticed that after a reboot, I can again telnet to port 10000.

UPDATE:

docker network ls
NETWORK ID     NAME         DRIVER    SCOPE
a1e2c7cdbc65   bridge       bridge    local
218e121af9cd   host         host      local
979cf8868fcd   network1     bridge    local
cee02cfd1dba   none         null      local
ef37f7b34afa   network2     bridge    local

I noticed that /etc/resolv.conf is different depending upon whether I check on a container inside a network or one with the default network:

docker run -it --rm --network network1 alpine cat /etc/resolv.conf
nameserver 127.0.0.11
options ndots:0

docker run -it --rm alpine cat /etc/resolv.conf
nameserver 80.237.128.56
nameserver 80.237.128.57

Those two nameservers are the ones that my dedicated server uses.

ufw show raw | grep DROP
Chain INPUT (policy DROP 0 packets, 0 bytes)
Chain FORWARD (policy DROP 0 packets, 0 bytes)
       0        0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
       0        0 DROP       all  --  *      br-ef37f7b34afa  0.0.0.0/0            0.0.0.0/0           
       0        0 DROP       all  --  *      br-979cf8868fcd  0.0.0.0/0            0.0.0.0/0           
   14262  1201304 DROP       all  --  eno    *      !127.0.0.1            0.0.0.0/0           
     173    37057 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     427    35720 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain INPUT (policy DROP 0 packets, 0 bytes)
Chain FORWARD (policy DROP 0 packets, 0 bytes)
       0        0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
       0        0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
       0        0 DROP       all      *      *       ::/0                 ::/0                 ctstate INVALID
       0        0 DROP       all      *      *       ::/0                 ::/0                 rt type:0
       0        0 DROP       all      *      *       ::/0                 ::/0                
       0        0 DROP       all      *      *       ::/0                 ::/0

a little more detail around those drops and docker generally:

Chain DOCKER (3 references)
    pkts      bytes target     prot opt in     out     source               destination
       2      120 ACCEPT     tcp  --  !br-979cf8868fcd br-979cf8868fcd  0.0.0.0/0            172.19.0.2           tcp dpt:3306
       1       60 ACCEPT     tcp  --  !br-ef37f7b34afa br-ef37f7b34afa  0.0.0.0/0            172.18.0.2           tcp dpt:18088
       0        0 ACCEPT     tcp  --  !br-979cf8868fcd br-979cf8868fcd  0.0.0.0/0            172.19.0.3           tcp dpt:80
       0        0 ACCEPT     tcp  --  !br-ef37f7b34afa br-ef37f7b34afa  0.0.0.0/0            172.18.0.3           tcp dpt:3306

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
    pkts      bytes target     prot opt in     out     source               destination
      19     1164 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
   14533  1228562 DOCKER-ISOLATION-STAGE-2  all  --  br-ef37f7b34afa !br-ef37f7b34afa  0.0.0.0/0            0.0.0.0/0
     168    14646 DOCKER-ISOLATION-STAGE-2  all  --  br-979cf8868fcd !br-979cf8868fcd  0.0.0.0/0            0.0.0.0/0
   25893  4430799 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
       0        0 DROP       all  --  *      br-ef37f7b34afa  0.0.0.0/0            0.0.0.0/0
       0        0 DROP       all  --  *      br-979cf8868fcd  0.0.0.0/0            0.0.0.0/0
   14720  1244372 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
    pkts      bytes target     prot opt in     out     source               destination
   14465  1218356 DROP       all  --  eno2   *      !127.0.0.1            0.0.0.0/0
   25893  4430799 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

ufw show raw | grep REJECT # contains ip addresses from fail2ban
       0        0 REJECT     all  --  *      *       85.202.169.48        0.0.0.0/0            reject-with icmp-port-unreachable
      25     1904 REJECT     all  --  *      *       112.85.42.128        0.0.0.0/0            reject-with icmp-port-unreachable
      19     1664 REJECT     all  --  *      *       61.177.172.89        0.0.0.0/0            reject-with icmp-port-unreachable
      23     1884 REJECT     all  --  *      *       112.85.42.74         0.0.0.0/0            reject-with icmp-port-unreachable
      21     1764 REJECT     all  --  *      *       112.85.42.15         0.0.0.0/0            reject-with icmp-port-unreachable
      23     1884 REJECT     all  --  *      *       112.85.42.87         0.0.0.0/0            reject-with icmp-port-unreachable
      22     1748 REJECT     all  --  *      *       122.194.229.54       0.0.0.0/0            reject-with icmp-port-unreachable
      19     1644 REJECT     all  --  *      *       122.194.229.45       0.0.0.0/0            reject-with icmp-port-unreachable
      22     1844 REJECT     all  --  *      *       218.92.0.221         0.0.0.0/0            reject-with icmp-port-unreachable
      18     1104 REJECT     all  --  *      *       112.85.42.88         0.0.0.0/0            reject-with icmp-port-unreachable
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
       0        0 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable
dockerfirewalliptables


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

How to set IP address on an interface in Fortigate CLI?

iptables moving rule in a list

enable firewall port 22 on ec2 server after disable it

fix the location /nbextensions ressources in Jupyter

Firewall policy - allow only application rules deny NAT rules and Network rules in Azure firewall

How to enable "Allow Azure services and resources to access this server" through PowerShell (Azure CLI)?

Cypress Windows - Error: read ECONNRESET at TCP.onStreamRead (internal/stream_base_commons.js:209:20)

firewalld: ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'

Terraform 403 error when creating function app and storage account with private endpoint

How to only allow certain user agents through mod security's WAF?

How do I create a rule to block all user agents with ModSecurity V3?

Ubuntu: using docker with snap and firewall is a problem

Inno Setup: Iterate/Enumerate through Firewall Rules / IEnumVariant

Docker container accessible only via Cloudflare CDN (selected ip ranges)

iptables moving rule in a list