Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restrict internet access to docker container?

Tags:

docker

What is the best way to restrict internet access to a single docker container while still forwarding ports?

My current way of doing this works like this:

sudo docker network create --internal --subnet 10.1.1.0/24 no-internet
sudo docker run --name gitlab -d -p 80:80 -p 822:22 --restart always gitlab/gitlab-ce
sudo docker network connect no-internet gitlab
sudo docker network disconnect bridge gitlab

The problem is that if I restart the system the ports are not forwarded anymore:

sudo docker ps before reboot:

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                             PORTS                                              NAMES
2d2a062744ec        gitlab/gitlab-ce    "/assets/wrapper"   13 seconds ago      Up 13 seconds (health: starting)   0.0.0.0:80->80/tcp, 443/tcp, 0.0.0.0:822->22/tcp   gitlab

sudo docker ps after reboot:

CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                   PORTS               NAMES
2d2a062744ec        gitlab/gitlab-ce    "/assets/wrapper"   12 minutes ago      Up 2 minutes (healthy)                       gitlab
like image 738
Socrates Avatar asked Oct 29 '17 14:10

Socrates


People also ask

Do Docker containers have Internet access by default?

It should have internet access because it's on a custom network. Use --network common2 to make the container use the common2 network. The container cannot reach the internet on the common2 network. If it is started with --network host, then it will have access…

Can you run a VPN in a Docker container?

There are HTTPS-based VPNs that you can use. Otherwise, you cannot as classic VPNs use IP protocols that are not supported by (routable to) containers. In most cases, you will need to connect to the container host and then execute a command in the host that connects to the container.


1 Answers

So if I understand your scenario correctly, you would like to avoid sharing your host's network to your gitlab container to make sure gitlab cannot connect to the internet. At the same time you wish to share the host's network to bind a container port to your host system. It doesn't work that way, but the following might be an acceptable workaround for you: docker containers sharing the same internal network can connect to exposed/published ports of other containers on the same network.

You could follow this approach:

  • Run a reverse proxy in front of your gitlab container
  • The reverse proxy is member of your internal network and the default bridge network (which includes the host's net)
  • This enables the reverse proxy to bind to a host port and forward requests to your gitlab container while gitlab still can't access the internet

I quickly put this example together, hope that gets you started:

docker network create --internal --subnet 10.1.1.0/24 no-internet

docker network create internet

docker-compose.yml:

version: '2'

services:
  whoami:
    image: jwilder/whoami
    container_name: whoami
    networks:
      - no-internet

  proxy:
    image: nginx:1.13-alpine 
    container_name: proxy
    networks:
      - internet
      - no-internet
    volumes:
      - ./vhost.conf:/etc/nginx/conf.d/default.conf
    ports:
      - "80:80"

networks:
  internet:
    external:
      name: internet
  no-internet:
    external:
      name: no-internet

vhost.conf:

upstream whoami {
    server whoami:8000;
}

server {
    server_name localhost;
    listen 80;
    location / {
        proxy_pass http://whoami;
    }
}

Please note the above mentioned internet network is actually not needed, as a docker container shares the host network by default anyway. It's just there to make things clearer.

In the example depicted above, open http://localhost/ and you will see the response of the whoami container, the whoami container itself however can't connect to the internet.

like image 143
tworabbits Avatar answered Oct 27 '22 15:10

tworabbits