Limit docker containers outbound access to single interface

  docker, docker-compose, iptables

I’m trying to setup a system with a number of Docker containers across multiple Docker networks, to limit access. The piece I’m struggling with, is that I want a bridge network allowing containers within it to be accessible from outside the host on specific ports and also for it to have access to communicate with devices connected to a specific network interface on the host but not the internet.

Here’s my docker compose so far:

version: "3.4"
services:
  isolated_comms:
    image: nginx:stable
    container_name: isolated_comms
    networks: 
      - local_network
    environment:
      EXTERNAL_IP: 192.168.168.1
  isolated_webserver:
    image: httpd
    container_name: isolated_webserver
    networks: 
      - local_network
    ports:
      - "192.168.168.1:80:80"
  isolated_busybox:
    image: busybox
    container_name: isolated_busybox
    command: sleep 1000
    networks: 
      - local_network

networks:
  local_network:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_ip_masquerade: "false"

The containers above are running on a Raspberry Pi, Ethernet port on it has static IP 192.168.168.1 and connected to that port is my Laptop which has static IP 192.168.168.2.

As it is now, I can connect to the isolated_webserver from my laptop by navigating to 192.168.168.1 via a web browser, so inbound access is OK. On my laptop I’m running a simple web server from python (python -m http.server 80). I cannot access the webserver running on the laptop from the isolated_comms container on the Pi through

docker exec -it isolated_comms curl 192.168.168.2:80

I think I’m missing some iptables rules, which I’m unsure where to start from, but the bigger question is, am I trying to do this the right way or is there a better approach?

Source: Docker Questions

LEAVE A COMMENT