I'm facing the following problem: I want to block the port 8000 being accessed from the network (block all connections except the ones from 127.0.0.1). So to simplify my problem and as a first step, I decided to block all access to the port 8000 by using this rule :
iptables -A INPUT -p tcp --dport 8000 -j DROP
Now, I know that I should take the reverse approch wich is drop all connections except the trusted ones but I decided to make this for educational purpose.
iptables -L
shows me this output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.1 tcp dpt:80
Unfortunately, I still succeed to access the server from port 8000. Can you tell me what I have to do? I didn't do anything after executing the drop rule command.
Best Answer
Looks like you are using Docker. When exposing a container port Docker will create rules to forward packets to your container. These packets never go through the INPUT chain. See: http://www.faqs.org/docs/iptables/traversingoftables.html
You can filter using the FORWARD chain.
Note, this will not drop connections from localhost and you have to use the rewritten destination (ie listen port in the container.)
If you want more control you can run the Docker daemon with
--iptables=false
, but you will have to manage the packet forwarding to your containers manually.