Skip to content

Instantly share code, notes, and snippets.

@FoxxMD

FoxxMD/README.md

Last active February 24, 2025 17:55
Show Gist options
  • Save FoxxMD/5157593cd8d6b68b74b3aba1df7e219b to your computer and use it in GitHub Desktop.
Save FoxxMD/5157593cd8d6b68b74b3aba1df7e219b to your computer and use it in GitHub Desktop.
Download ZIP
Blocking Docker container Egress to LAN
Raw
README.md

Hardens Docker networking between Stacks and LAN

Blocking Egress to LAN

Achieves:

  • Allow LAN -> Docker container communication
  • (Optional) Allow Docker -> LAN DNS
  • Block egress from Docker container to LAN destination (when established solely by container)

Find Docker Interface

https://unix.stackexchange.com/a/417839

systemctl list-units --no-pager

Find the name of the interface Docker uses as a bridge to communicate with host/LAN. For standalone docker this is probably docker0, for swarm it's docker_gwbridge.

The unit will look similar to this:

sys-devices-virtual-net-docker0.device

Configure iptables

Move restrict-docker-lan-egress.sh to /root/restrict-docker-lan-egress.sh and make sure to chmod +x it. Edit the file so LAN refers to your own lan network and change -i docker_gwbridge to refer to the docker interface to use.

Configure unit

Move docker-lan-egress.service to /etc/systemd/system. Edit the file and use the sys-devices-virtual-* device found in the previous section in the After= directive.

Test and Enable

Now, test the service and script works:

sudo systemctl daemon-reload
sudo systemctl start restrict-docker-egress.service
sudo systemctl status restrict-docker-egress.service
#...systemd[1]: Started Add Docker bridge egress iptables restrictions.
#...systemd[1]: restrict-docker-egress.service: Succeeded.

Check iptables

sudo iptables -L DOCKER-USER --line-numbers

Should look like

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  docker_gwbridge any     192.168.1.0/16       anywhere             state NEW
2        0     0 ACCEPT     all  --  docker_gwbridge any     anywhere             192.168.1.0/16       state RELATED,ESTABLISHED
3        0     0 ACCEPT     udp  --  docker_gwbridge any     anywhere             mydns.localdomain  udp dpt:domain
4        0     0 DROP       all  --  docker_gwbridge any     anywhere             192.168.1.0/16

If everything worked then enable the unit to run on startup:

sudo systemctl enable restrict-docker-egress.service

(Bonus) Restricting Traffic between Stacks

https://github.com/kaysond/trafficjam

Raw
docker-lan-egress.service
[Unit]
Description=Add Docker bridge egress iptables restrictions
Requires=systemd-networkd.socket
# wait for bridge interface to come online before adding rules
# https://unix.stackexchange.com/a/417839
After=sys-devices-virtual-net-docker_gwbridge.device
[Service]
ExecStart=/usr/bin/bash /root/restrict-docker-lan-egress.sh
Type=simple
[Install]
WantedBy=multi-user.target
Raw
restrict-docker-lan-egress.sh
#!/usr/bin/bash
LAN=192.168.1.0/16
# delete any existing (prob just RETURN)
iptables -F DOCKER-USER
# accept new ingress from LAN
iptables -A DOCKER-USER -i docker_gwbridge -s $LAN -m state --state NEW -j ACCEPT
# allow egress to LAN if connection is already established
iptables -A DOCKER-USER -i docker_gwbridge -d $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# (optional) allow all egress to LAN DNS IP
# remove statement if not needed
iptables -A DOCKER-USER -i docker_gwbridge -d 192.168.1.200 -p udp --dport 53 -j ACCEPT
# drop all others to LAN
iptables -A DOCKER-USER -i docker_gwbridge -d $LAN -j DROP
# move to next chain
iptables -A DOCKER-USER -j RETURN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment