Restrict Internet Access - Docker Container

DockerDocker Networking

Docker Problem Overview

I have a situation to restrict internet access of the container in load balancer network. for example in that below picture

easy for your reference

Only container4 connects to the Internet; other three only communicate through container4 with the outside world. For example if container1 needs smtp support, it will forward smtp request to container4 to get access.

No container other than container4 should be allowed to access the Internet directly! This should be enforced on Docker level.

I believe it will be configurable on docker network creation, can any one explain how to achieve this?

Docker Solutions

Solution 1 - Docker

As found here, I got this to work with docker-compose. Save as docker-compose.yml:

version: '3'

services:
  outgoing-wont-work:
    image: alpine
    networks:
      - no-internet
    command: ping -c 3 google.com # will crash

  internal-will-work:
    image: alpine
    networks:
      - no-internet
    command: ping -c 3 internal-and-external

  internal-and-external:
    image: alpine
    networks:
      - no-internet
      - internet
    command: ping -c 3 google.com

networks:
  no-internet:
    driver: bridge
    internal: true
  internet:
    driver: bridge

Then run docker-compose up -d, docker-compose ps will show something like this after a few seconds:

              Name                            Command               State    Ports
----------------------------------------------------------------------------------
dco_inet_internal-and-external_1   ping -c 3 google.com             Exit 0        
dco_inet_internal-will-work_1      ping -c 3 internal-and-ext ...   Exit 0        
dco_inet_outgoing-wont-work_1      ping -c 3 google.com             Exit 1

Solution 2 - Docker

Network creation for access internet

>docker network create --subnet=172.19.0.0/16 internet

Network creation for block internet access

>docker network create --internal --subnet 10.1.1.0/24 no-internet

If you want to connect docker container into internet

docker network connect internet container-name

If you want to block internet access

docker network connect no-internet container-name

Note

in internal network we can't expose ports to connect outside world, please refer this question for more details

Solution 3 - Docker

Another option, if you need to expose ports on a container without internet access, but want to let it talk to other containers would be to provide a bogus DNS configuration. This isn't a perfect solution though, since it doesn't prevent direct IP access to the outside world.

docker-compose.yaml

version: '3'

services:
  service1:
    image: alpine
    command: sh -c 'ping service2 -c 1; ping google.com -c 1'
    dns: 0.0.0.0
  service2:
    image: alpine
    command: sh -c 'ping service1 -c 1; ping google.com -c 1'
    dns: 0.0.0.0

isolated> docker-compose up
Recreating isolated_service1_1 ... done                                                                                 Recreating isolated_service2_1 ... done                                                                                 Attaching to isolated_service2_1, isolated_service1_1
service1_1  | PING service2 (172.18.0.2) 56(84) bytes of data.
service1_1  | 64 bytes from isolated_service2_1.isolated_default (172.18.0.2): icmp_seq=1 ttl=64 time=0.038 ms
service1_1  |
service1_1  | --- service2 ping statistics ---
service1_1  | 1 packets transmitted, 1 received, 0% packet loss, time 0ms
service1_1  | rtt min/avg/max/mdev = 0.038/0.038/0.038/0.000 ms
service2_1  | PING service1 (172.18.0.3) 56(84) bytes of data.
service2_1  | 64 bytes from isolated_service1_1.isolated_default (172.18.0.3): icmp_seq=1 ttl=64 time=0.093 ms
service2_1  |
service2_1  | --- service1 ping statistics ---
service2_1  | 1 packets transmitted, 1 received, 0% packet loss, time 0ms
service2_1  | rtt min/avg/max/mdev = 0.093/0.093/0.093/0.000 ms
service1_1  | ping: google.com: Temporary failure in name resolution
service2_1  | ping: google.com: Temporary failure in name resolution
isolated_service1_1 exited with code 2
isolated_service2_1 exited with code 2

Solution 4 - Docker

As stated in Bilal's answer, the internal network is a good solution if you do not need to expose the ports.

If you do need to expose the ports, the below solution using iptables does the job for my requirements:

docker network create --subnet 172.19.0.0/16 no-internet
sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -j REJECT --reject-with icmp-port-unreachable
sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -m state --state RELATED,ESTABLISHED -j RETURN

Then add

--network no-internet

when you run your docker container. For instance:

$ docker run -it --network no-internet ubuntu:focal /bin/bash
root@9f2181f79985:/# apt update
Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
  Temporary failure resolving 'archive.ubuntu.com'
Categories
Recommended Docker Solutions
Recommended Docker Networking Solutions

Previous Solution:

“Unable to locate finder for 'pip._vendor.distlib'” error when using "pip install virtualenv"

PythonPython 3.xPipVirtualenv

Next Solution:

Is it possible to restart a program from inside a program?

C++Application Restart

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionBilal UseanView Question on Stackoverflow
Solution 1 - DockerexicView Answer on Stackoverflow
Solution 2 - DockerBilal UseanView Answer on Stackoverflow
Solution 3 - DockerKeeganView Answer on Stackoverflow
Solution 4 - DockerbeledouxdenisView Answer on Stackoverflow