My network is isolated into a few different VLANs but I am struggling a little with the best way to achieve isolation of some docker containers running inside a custom bridge network. For the sake of simplicity lets say the network looks like this and there are two VLANs (Trusted traffic is untagged and non-trusted traffic is on VLAN 10). Untagged traffic is on a 192.168.x.0/24 subnet and VLAN 10 is on a 10.x.x.0/24 subnet.
I am running docker on Unraid and have set it up to allow VLANs and it gets an IP on both the untagged and VLAN 10 subnets.
Unraid is configured so that is just docker that is accessible on VLAN 10 and with some containers running in a custom bridge network (10.99.99.0/24) everything works one way. When mapping ports to containers I use <VLAN 10 IP>:Port so that the port is only accessible via the VLAN 10 IP. This allows me to have some containers running inside the docker network that are purely internal to that network and not accessible outside.
The issue I have is that the containers themselves can communicate back out to the untagged network. I guess this makes sense as the host has a route to the untagged network and the docker traffic isn't tagged with a VLAN ID.
I have tried creating a iptables rule to drop traffic between the docker 10.99.99.0/24 interface and br0
iptables -A FORWARD -i br-<MAC> -o br0 -j DROP
but that doesn't seem to work and traffic can still get through.
How can I add outbound isolation to this setup? (ie. I only want to allow traffic from this docker network out through the br.10 interface)
I don't want to just use a MACVLAN network and put the devices on VLAN 10 as their are ports on containers I don't want to be accessible to other devices and there are some containers that I simply don't want to be seen at all on that subnet.
Ideally it would be nice to do all of this at the host level but the only other option I can see is to create a MACVLAN network on a new VLAN and apply lots of firewall rules on the router (which is a bit of a pain to maintain as I will then need to fix IPs of the containers etc.)
Best Answer
An iptables rule should be sufficient. It would need to be at the top of your
FORWARD
chain; something like:It needs to be at the top of the chain because otherwise it becomes a no-op -- there are rules added by Docker that will explicitly
ACCEPT
the traffic.You could instead add the rule to the
DOCKER-USER
chain; this is a chain that Docker arranges to be called before any Docker-managed rules. TheFORWARD
chain on my local system looks like:Alternately, you could add a policy routing rule so that traffic from your containers wouldn't have a route to the untagged network. Your default routing policy looks like this:
Where the
main
table is what you see when you runip route
. You can add a rule that uses an alternate lookup for traffic originating from your containers:That should result in:
And then add routing entries to table 1000:
Now connections from the containers will only have a default route, and would only be able to access the untagged network if the router at 10.x.x.1 provided an appropriate route.