What is the correct way to restrict access to Docker containers to only allow sources on LAN

Question

I've been trying to find a way to ensure containers selectively are only accessible from the LAN that the (Linux) docker host is part of. I've seen this question asked/answered on Reddit, Stack, and some random other sites. They simply state when you publish ports to include the localhost address in your compose yaml like:

ports:
  - 127.0.0.1:8080:8080

This makes sense I suppose but after implementing that, this what I see in iptables created by docker:

Chain DOCKER (5 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.22.0.2           tcp dpt:8080

And when I forward the port on my gateway it can be accessed outside the LAN

I've seen others point to this page that shows how to restrict all containers: https://docker-docs.netlify.app/network/iptables/ but I don't think (?) that option will work for me because I want to selectively control which containers are restricted.

I also see mention of disabling Docker's ability to add rules, but since the docs don't recommend that I'd rather avoid it if possible.

Possibly relevant info: Ubuntu server 22, containers using default (bridge) network mode, ufw is installed/active.

Answer 1

The post Restrict Internet Access - Docker Container has accepted this answer by Bilal Usean:

Network creation for access internet

docker network create --subnet=172.19.0.0/16 internet

Network creation for block internet access

docker network create --internal --subnet 10.1.1.0/24 no-internet

If you want to connect docker container into internet

docker network connect internet container-name

If you want to block internet access

docker network connect no-internet container-name

Note

in internal network we can't expose ports to connect outside world, please refer this question for more details

Answer 2

Here's what finally worked for me - from https://github.com/chaifeng/ufw-docker

Modify the UFW configuration file /etc/ufw/after.rules and add the following rules at the end of the file:

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

COMMIT
# END UFW AND DOCKER

Only difference being that I modified all references to 192.168.0.0/24 to match my LAN. I've done some minor testing and so far it doesn't break the Docker internal networking, it protects containers from the public, and it allows me to use ufw to create rules.