Block outgoing connections to private IPs from Docker containers

Question

Some of the services that we run on our servers with Docker, try to connect to private IP addresses (10.0.0.0/8, 192.0.0.0/16, 172.16.0.0/12, 100.64.0.0/10).

This behavior is normal but our server provider detects this traffic and sends us alerts.

We would like to stop only the outgoing traffic, not the incoming with iptables.

This is our current setup:

-A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner `id -u dockeruser` -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 100.64.0.0/10 -m owner --uid-owner `id -u dockeruser` -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 172.16.0.0/12 -m owner --uid-owner `id -u dockeruser` -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -d 10.0.0.0/8 -m owner --uid-owner `id -u dockeruser` -j REJECT --reject-with icmp-port-unreachable

However this doesn't seem to work because Docker creates the following rules:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere

For the services:

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:1234
ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:1234

Finally:

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Any feedback is appreciated.

Answer 1

You are adding the rules in the wrong chain. The traffic that is originated from a docker container passes through the FORWARD chain of the filter table, not the OUTPUT chain. This is because from the host computer's perspective, the traffic is incoming from the docker0 interface, and the host computer is merely acting as a forwarder.

In order to differentiate between inbound and outbound traffic, use the -i and -o options to specify interface. Also you can't use uid to determine whether the traffic is coming from a docker container (since the data is not locally originated). Checking incoming interface is enough for that.

So, add the following rules to the DOCKER-ISOLATION chain (which is being called from the FORWARD chain):

-A DOCKER-ISOLATION -d 192.168.0.0/16 -i docker0 ! -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION -d 100.64.0.0/10 -i docker0 ! -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION -d 172.16.0.0/12 -i docker0 ! -o docker0 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION -d 10.0.0.0/8 -i docker0 ! -o docker0 -j REJECT --reject-with icmp-port-unreachable

Replace docker0 by name of the virtual interface created by docker.

(Note: If the chain DOCKER-ISOLATION doesn't exist, append directly to FORWARD chain).

Also look at the output of iptables -vL and iptables -t nat -vL to better understand how addresses are being translated.