I'd like my EC2 instance to have IAM-based permissions, but don't want the docker containers on that instance to have the same permissions. I believe it should be sufficient to block access to the magic IP 169.254.169.254
. Is it sufficient to run:
iptables -I DOCKER -s 169.254.169.254 -j DROP
Do I also need to configure my docker daemon with --icc=false
or --iptables=false
?
Finally got this working, you need to add this rule on the host machine:
1) Drop docker bridge packets when outbound to 169.254.169.254
port 80 or 443.
sudo iptables -I FORWARD -i docker0 -d 169.254.169.254 \
-p tcp -m multiport --dports 80,443 -j DROP
Now, if I try to connect inside the container:
$ sudo docker run -it ubuntu bash
root@8dc525dc5a04:/# curl -I https://www.google.com
HTTP/1.1 200 OK
root@8dc525dc5a04:/# curl -I http://169.254.169.254/
# <-- hangs indefinitely, which is what we want
Connections to the special IP still work from the host machine, but not from inside containers.
Note: my use case is for Google Compute Engine and prevents Docker containers from accessing the metadata server on 169.254.169.254
, while still allowing DNS and other queries against that same IP. Your mileage may vary on AWS.
I would recommend the following variation on the accepted answer:
sudo iptables \
--insert DOCKER-USER \
--destination 169.254.169.254 \
--jump REJECT
The reason for this is that the above command adds the rule to the DOCKER-USER
chain which Docker is guaranteed not to modify.
Sources:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With