1

Goal is to allow only specific networks to access docker container services/ports running on my server.

Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.

Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime

Plan is to BLOCK them before even reaching FORWARD chain.

So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1

But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.

Improve this question
1
  • Tried: DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:<Server-IP> And catch the same port traffic in INPUT filter and DROP/REJECT. Even then the client gets 'Connection Timedout'. So its same behavior even if we direct the traffic to a BLOCKHOLE.
    – Ram
    Commented Aug 31, 2018 at 10:10

1 Answer 1

Reset to default
1

This isn't particularly nice, but if you DNAT the traffic from somewhere in PREROUTING to a blackhole address (pick some reserved network address like 192.0.2.1 from https://en.wikipedia.org/wiki/Reserved_IP_addresses ) then you can reject/drop in FORWARD in the filter table. This way you only need one rule there and hopefully better avoid it being repositioned.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .