Goal is to allow only specific networks to access docker container services/ports running on my server.
Tried adding ACCEPT rules in to INPUT filter chain. That did not help, networks even without ACCEPT rule were still able to access docker service/port.
Tried adding ACCEPT and DROP rules in FORWARD chain, this works. But this has many disadvantages like: a. Rules getting deleted or re-positioned on docker restart b. Rules can become invalid, if docker containers are re-deployed and get different IPs at runtime
Plan is to BLOCK them before even reaching FORWARD chain.
So, added a new chain in NAT table, which redirects to DOCKER chain if traffic is from allowed network, if it is from other networks, added DNAT to a BLOCKHOLE IP. In PREROUTING, first rule is to jump to this chain.This seems to be working.
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:0.0.0.1
But, instead of redirecting it to a BLOCKHOLE, can we somehow REJECT this traffic so that the client knows it is not allowed and hence refused.