Docker Iptables with Docker Limit access on Docker containers to a set of IPs
Example
First, install ipset if needed. Please refer to your distribution to know how to do it. As an example, here is the command for Debian-like distributions.
$ apt-get update
$ apt-get install ipset
Then create a configuration file to define an ipset containing the IPs for which you want to open access to your Docker containers.
$ vi /etc/ipfriends.conf
# Recreate the ipset if needed, and flush all entries
create -exist ipfriends hash:ip family inet hashsize 1024 maxelem 65536
flush
# Give access to specific ips
add ipfriends XXX.XXX.XXX.XXX
add ipfriends YYY.YYY.YYY.YYY
Load this ipset.
$ ipset restore < /etc/ipfriends.conf
Be sure that your Docker daemon is running : no error should be shown after entering the following command.
$ docker ps
You are ready to insert your iptables rules. You must respect the order.
// All requests of src ips not matching the ones from ipset ipfriends will be dropped.
$ iptables -I DOCKER -i ext_if -m set ! --match-set ipfriends src -j DROP
// Except for requests coming from a connection already established.
$ iptables -I DOCKER -i ext_if -m state --state ESTABLISHED,RELATED -j ACCEPT
If you want to create new rules, you will need to remove all custom rules you've added before inserting the new ones.
$ iptables -D DOCKER -i ext_if -m set ! --match-set ipfriends src -j DROP
$ iptables -D DOCKER -i ext_if -m state --state ESTABLISHED,RELATED -j ACCEPT
