Don’t allow docker internet access

dockeriptablesnetworking

I'm looking for a simple way to limit my docker containers so they only have local access and not internet access.

I've tried using IPtables to do this and the following works:

iptables -I FORWARD -i docker0  -j DROP

but if the docker service is restarted localhost can no longer access the containers.

Best Answer

I assume by "local access" you mean you want containers to be able to talk to each other and the docker host, but not be able to get to the network outside the docker host ?

You have a couple of options.

1.

Use iptables to drop all packets to/from your external network interface in the DOCKER chain.

iptables -I DOCKER -i eno1 -j DROP

(eno1 might be different in your case; it's the name of the network interface on my docker host.)

2.

Turn off ip forwarding on the docker host.

echo 0 > /proc/sys/net/ipv4/ip_forward

Note: this will also restrict any virtual machines in the same way but is the general and safe approach for the more security conscious.

SOURCE:

See https://docs.docker.com/v1.5/articles/networking/#the-world "Communication between containers and the wider world" for more information.

Related Question