Restricting access to exposed ports for only a specific container

[NiharPattanaik]

Hi Bret,

I was great Docker tutorial and i enjoyed all your lectures. I have a problem i'm not able to solve, appreciate if you can help me.

In my product i have introduced a RabbitMQ container and we have already few more different containers are running on the same docker runtime. For RabbitMQ i have exposed few ports. Now the issue is how to restrict the access to these ports from outside as docker allows access to all exposed ports through iptables configuration.

I have thought of adding a new rule to drop all connections from any source in DOCKER or DOCKER-USER chain and then allowing only IPs which are supposed to access. However this will restrict the access to Docker which will impact all other containers also.
Need help on how to restrict ports exposed for my container only and then selectively allowing the access to known IPs.

Regards,
Nihar

[BretFisher]

Hi there.

1. I take it you're using a single docker engine not docker swarm?
2. When you say "exposed", do you mean --published in docker/swarm?
3. If you need to control access to the public IP of a host that has published docker ports, you'd do that with something external usually. Security Groups in AWS, etc. There might be a way to do it on-host with 3rd party network plugins or something, but I've not seen it.

[NiharPattanaik]

Hi Bret,
Thanks for your quick response. I'm using single docker engine and not in swarm mode. The ports are exposed using -p in docker startup. This is an on-prem product and not on the cloud, deployed on multiple nodes in a enterprise DC. Once the port is exposed on docker, the port can be accessed by any system on that network which has IP access. But my requirement is this RabbitMQ container/application should only be accessed few of the nodes.

Regards,
Nihar

[BretFisher]

Yea I don't have an answer for you other than above. In datacenters I work in, they control that at the VLAN level the hosts are placed on.

[BretFisher]

I would think messing with iptables would get overwritten on next docker run. If you figure out a way to solve your issue please update us here to benefit others!

[NiharPattanaik]

I have figured out a solution and tested to be working. This is what i have tried

1. Inserted a custom chain into the FORWARD chain at first position. Position is important as DOCKER
   chain has to be below this.

   iptables -I FORWARD -j ISE_RABBITMQ_FW_CHAIN -p tcp --dport 15672

2. Added a DROP target to this custom chain. This is the default rule for the custom chain.

   iptables -A ISE_RABBITMQ_FW_CHAIN -p tcp --dport 15672 -j DROP

3 - To enable access for specific IPs, new rule with ACCEPT target needs to be inserted before the
default DROP rule. For example to allow 10.126.110.57 to access the container service running on
15672

   iptables -I ISE_RABBITMQ_FW_CHAIN -s 10.126.110.57 -d 169.254.0.1 -p tcp --dport 15672 -j 
   ACCEPT


   The default DROP rule has to be the last rule in this chain.

4 - Every time docker daemon restarts, it is required to keep ISE_RABBITMQ_FW_CHAIN at the top of
the FORWARD chain as docker restart recreates the DOCKER chain and adds to the top of the
FORWARD chain. For this i drop the existing ISE_RABBITMQ_FW_CHAIN under FORWARD and
inserts again.

  iptables -D FORWARD -j ISE_RABBITMQ_FW_CHAIN -p tcp --dport 15672
  iptables -I FORWARD -j ISE_RABBITMQ_FW_CHAIN -p tcp --dport 15672

I'm not a linux/docker expert, somehow tried some solution. Please let me know if anyone of you find any flaw in this approach. Feedback is much appreciated.

[NiharPattanaik]

Another option i have tried is updating the NAT rules added by Docker by specifying the source for the IPs allowed to connect. This works but when container restarts, the rules will be again over written by docker.