I am running Gentoo host with Ubuntu container in Docker. They communicate via bridge automatically created by Docker. I would like to drop all traffic for 192.168.0.0/16 that may come out of container.
$sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
$sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443
Please let me know if I need to provide extra information
No, your container still run as root. Use USER instruction in your docker file. When you launch container, you add --privileged option. This will let anyone in docker group, access your /dev. He can access file system. In addition, you should apply iptable rules in the host (outside of the container).
Anyone with docker group permission can go inside your container. Then he can access /dev. Do whatever read/write on your hardware/software device freely. This is a typical privilege escalation. Don't you agree with me?
Disable networking for a container. 1 Create the container. 2 Check the container’s network stack, by executing some common networking commands within the container. Notice that no eth0 was created. 3 Stop the container. It is removed automatically because it was created with the --rm flag.
Check the container’s network stack, by executing some common networking commands within the container. Notice that no eth0 was created. The second command returns empty because there is no routing table. Stop the container. It is removed automatically because it was created with the --rm flag.
One option would be to run docker with --icc=false
, preventing any container to communicate with other containers, you could then let containers communicate with each other by linking them with --link=container_name:alias
. This will not block the container from communicating with the host at this time though.
You could also operate with iptables with a rule like:
iptables -A INPUT -i docker0 -d 192.168.0.0/16 -j DROP
keep in mind that a host doesn't see dropped packet coming back by icmp error, so maybe REJECT is more appropriate in most cases.
edit: correcting the rule to block the forward to other hosts:
iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -j DROP
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With