I'm running docker instance 1.6 on CentOS 7. I'm using these instances for development purpose where user can login and do their development work. My requirement is that I do not want any developer to make any sort of outgoing connection from inside the instance. I tried using ip table at host machine but it prevent connection from host machine but not from the docker. Here are the entries available in my iptable.
It will be a big help if you can suggest me a way to stop such connection fro inside a docker container to the outside world without impacting http connection.
# Generated by iptables-save v1.4.21 on Sun Jun 28 23:20:14 2015
*nat
:PREROUTING ACCEPT [6680:929529]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [521:165135]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Sun Jun 28 23:20:14 2015
# Generated by iptables-save v1.4.21 on Sun Jun 28 23:20:14 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80:65000 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80:65000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6667 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 6697 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Sun Jun 28 23:20:14 2015
Best Answer
You need to work in your
FORWARD CHAIN
, because the DOCKER traffic goesdocker -> your host interface
for example, I need to block my http traffic inside the docker.