Docker Iptables with Docker Limit access on Docker containers to a set of IPs

Help us to keep this website almost Ad Free! It takes only 10 seconds of your time:
> Step 1: Go view our video on YouTube: EF Core Bulk Extensions
> Step 2: And Like the video. BONUS: You can also share it!

Example

First, install ipset if needed. Please refer to your distribution to know how to do it. As an example, here is the command for Debian-like distributions.

$ apt-get update
$ apt-get install ipset

Then create a configuration file to define an ipset containing the IPs for which you want to open access to your Docker containers.

$ vi /etc/ipfriends.conf
# Recreate the ipset if needed, and flush all entries
create -exist ipfriends hash:ip family inet hashsize 1024 maxelem 65536
flush
# Give access to specific ips
add ipfriends XXX.XXX.XXX.XXX
add ipfriends YYY.YYY.YYY.YYY

Load this ipset.

$ ipset restore < /etc/ipfriends.conf

Be sure that your Docker daemon is running : no error should be shown after entering the following command.

$ docker ps

You are ready to insert your iptables rules. You must respect the order.

// All requests of src ips not matching the ones from ipset ipfriends will be dropped.
$ iptables -I DOCKER -i ext_if -m set ! --match-set ipfriends src -j DROP
// Except for requests coming from a connection already established.
$ iptables -I DOCKER -i ext_if -m state --state ESTABLISHED,RELATED -j ACCEPT

If you want to create new rules, you will need to remove all custom rules you've added before inserting the new ones.

$ iptables -D DOCKER -i ext_if -m set ! --match-set ipfriends src -j DROP
$ iptables -D DOCKER -i ext_if -m state --state ESTABLISHED,RELATED -j ACCEPT


Got any Docker Question?