15

What is the best way to restrict internet access to a single docker container while still forwarding ports?

My current way of doing this works like this:

sudo docker network create --internal --subnet 10.1.1.0/24 no-internet sudo docker run --name gitlab -d -p 80:80 -p 822:22 --restart always gitlab/gitlab-ce sudo docker network connect no-internet gitlab sudo docker network disconnect bridge gitlab

The problem is that if I restart the system the ports are not forwarded anymore:

sudo docker ps before reboot:

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 13 seconds ago Up 13 seconds (health: starting) 0.0.0.0:80->80/tcp, 443/tcp, 0.0.0.0:822->22/tcp gitlab

sudo docker ps after reboot:

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 12 minutes ago Up 2 minutes (healthy) gitlab
Improve this question
7
  • Have you tried --network no-internet on the docker run command? And in that case I think you could drop the last two commands. Commented Oct 29, 2017 at 14:19
  • @DanLowe I have, but then I run into the problem that the ports are not forwarded, resulting in the same as with my current solution after rebooting. Commented Oct 29, 2017 at 14:22
  • 1
    I'm not certain what you want is possible just using network commands. You may be better off using something like iptables inside the container to block whatever traffic you don't want to escape. Commented Oct 29, 2017 at 14:46
  • 1
    You'll probably need to open up a feature request with libnetwork to get --internal and a published port working together. Commented Oct 29, 2017 at 15:08
  • 1
    @herm No, I was using the user’s example network named no-internet. Commented Oct 29, 2017 at 16:18

2 Answers 2

Reset to default
11

So if I understand your scenario correctly, you would like to avoid sharing your host's network to your gitlab container to make sure gitlab cannot connect to the internet. At the same time you wish to share the host's network to bind a container port to your host system. It doesn't work that way, but the following might be an acceptable workaround for you: docker containers sharing the same internal network can connect to exposed/published ports of other containers on the same network.

You could follow this approach:

  • Run a reverse proxy in front of your gitlab container
  • The reverse proxy is member of your internal network and the default bridge network (which includes the host's net)
  • This enables the reverse proxy to bind to a host port and forward requests to your gitlab container while gitlab still can't access the internet

I quickly put this example together, hope that gets you started:

docker network create --internal --subnet 10.1.1.0/24 no-internet

docker network create internet

docker-compose.yml:

version: '2' services: whoami: image: jwilder/whoami container_name: whoami networks: - no-internet proxy: image: nginx:1.13-alpine container_name: proxy networks: - internet - no-internet volumes: - ./vhost.conf:/etc/nginx/conf.d/default.conf ports: - "80:80" networks: internet: external: name: internet no-internet: external: name: no-internet

vhost.conf:

upstream whoami { server whoami:8000; } server { server_name localhost; listen 80; location / { proxy_pass http://whoami; } }

Please note the above mentioned internet network is actually not needed, as a docker container shares the host network by default anyway. It's just there to make things clearer.

In the example depicted above, open http://localhost/ and you will see the response of the whoami container, the whoami container itself however can't connect to the internet.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You can also use internal:true to disable internet connectivity:

networks: yournetwork: internal: true
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.