Private and Proxied Docker Networking Setup – How to Configure

dockerfirewallnetworking

Above is a layout of the desired network. I am struggling with getting it just right. The internal link from the router is not relevant for this problem.

Requirements:

The only container directly exposed to the public, should be the proxy.
All containers can communicate with eachother, preferrably via host name (see user-defined docker network).
Some services such as Portainer require internet access (outgoing) to retrieve some data from their servers but should otherwise not be directly accessible.
The host may be allowed to access container services directly, but only from the host itself, not externally.

What I have achieved so far:

The proxy correctly proxies the desired containers to the outside.
All containers can communicate with eachother and their IP can be resolved via service name.

Problems:

All containers are still accessible directly, without using the proxy (by using their exposed ports)
If they are not in a bridge network they don't have internet, but if they are, they are accessible directly.

I believe 3 networks are necessary:

An internal network for the containers themselves
A network that has internet (but somehow does not expose any ports)
A network that will be used by the proxy that gets exposed to the public

I am configuring everything via Portainer, and the docker host is using Firewalld. Thanks in advance for any suggestions!

Best Answer

Alright so after revisiting this issue, I was reading a cheatsheet for Docker, and realized you can bind to an interface. By default, if no interface is specified, it binds to 0.0.0.0, but by specifying, for example 127.0.0.1:80:80 means only the docker host will be able to access the container on port 80.

This way, I specified my private network (192.168.1.0/24) as the interface to bind to for all exposed ports of my docker containers (so I can access directly from within my network) and only the Caddy proxy I bound to 0.0.0.0. Now this is behaving like I want and no special setup was needed.

Additionally I linked all containers together to the same user-defined network called internal in which I set restrict external access to true. This way, the containers can talk to eachother, can be resolved by container name and cannot be accessed by anything but my private network. All services from all containers are exposed to the public only by the reverse proxy.

Related Solutions

Docker Security Updates – How to Handle Updates in Containers

A Docker image bundles application and "platform", that's correct. But usually the image is composed of a base image and the actual application.

So the canonical way to handle security updates is to update the base image, then rebuild your application image.

Iptables – Whitelisting outgoing traffic from docker containers

The trick is to get iptables to redirect only the connections from the DEV Env containers. We can do this by adding a rule to accept all connections from the Reverse Proxy. So the IP table rules will now become:

-A PREROUTING -i docker0 -s 172.17.0.2/32 -j ACCEPT
-A PREROUTING -i docker0 -s 172.17.0.1/32 -j ACCEPT
-A PREROUTING -i docker0 -p tcp -d 0/0 -j REDIRECT --to-port 3128

Since docker dynamically allocates IPs. The IPs used will need to be updated if the docker containers are rerun or the server is restarted. I also added the rule for 172.17.0.1 which is the docker0 ip.

These rules mean that all other traffic originating from the docker0 interface, other than the reverse proxy container and docker host itself, get redirected to squid.

Within squid we can whitelist domain as we like by using the following lines

acl allowed_domain dstdomain google.com
http_access allow allowed_domain

full iptables rules are:

# Generated by iptables-save v1.4.21 on Fri Nov  6 18:54:09 2015
*nat
:PREROUTING ACCEPT [30:1796]
:INPUT ACCEPT [28:1680]
:OUTPUT ACCEPT [37:2388]
:POSTROUTING ACCEPT [46:2964]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -i docker0 -s 172.17.0.2/32 -j ACCEPT
-A PREROUTING -i docker0 -s 172.17.0.1/32 -j ACCEPT
-A PREROUTING -i docker0 -p tcp -d 0/0 -j REDIRECT --to-port 3128
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.3:8000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8192 -j DNAT --to-destination 172.17.0.3:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.2:80
COMMIT
# Completed on Fri Nov  6 18:54:09 2015
# Generated by iptables-save v1.4.21 on Fri Nov  6 18:54:09 2015
*filter
:INPUT ACCEPT [1891:3910112]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1500:1500230]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Fri Nov  6 18:54:09 2015

full squid rules are:

acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager
acl allowed_domain dstdomain google.com
http_access allow allowed_domain
http_access allow localhost
http_access deny all
http_port 3128 accel vhost allow-direct
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .       0   20% 4320

Best Answer

Related Solutions

Docker Security Updates – How to Handle Updates in Containers

Iptables – Whitelisting outgoing traffic from docker containers

Related Topic