Don't allow docker internet access
I assume by "local access" you mean you want containers to be able to talk to each other and the docker host, but not be able to get to the network outside the docker host ?
You have a couple of options.
1.
Use iptables to drop all packets to/from your external network interface in the DOCKER chain.
iptables -I DOCKER -i eno1 -j DROP
(eno1
might be different in your case; it's the name of the network interface on my docker host.)
2.
Turn off ip forwarding on the docker host.
echo 0 > /proc/sys/net/ipv4/ip_forward
Note: this will also restrict any virtual machines in the same way but is the general and safe approach for the more security conscious.
SOURCE:
See https://docs.docker.com/v1.5/articles/networking/#the-world "Communication between containers and the wider world" for more information.
Related videos on Youtube
techraf
This user really prefers to keep an air of mystery about them.
Updated on September 18, 2022Comments
-
techraf over 1 year
I'm looking for a simple way to limit my docker containers so they only have local access and not internet access.
I've tried using IPtables to do this and the following works:
iptables -I FORWARD -i docker0 -j DROP
but if the docker service is restarted localhost can no longer access the containers.