IP address whitelisting for specific service
Question
How do you filter external connections to a specific service, running on Docker? Specifically, how do you filter incoming requests down to a static list of whitelisted IPs?
1 answers
solution1
1 2016-02-20 15:14:23
This answer assumes that:
- The container will always listen on the same host:port.
- The container will always be bound on the same network card interface, if ever several are available. This is easily done by using the option
-p hostIp:hostPort:containerPortwithin thedocker runcommand.
Stemming from these two assumptions, it can then be assumed that the service running in the container will always listen on the same host socket defined as hostIp:hostPort .
Now, all you have to do is firewalling which is independent from docker.
I am not an expert and did not test theses lines! Be warned before executing them.
# DROP every packets coming from every sources sent to the port $PORT
iptables -A INPUT -p tcp --dport $PORT -j DROP
# ACCEPT every packets coming from source xx.xx.xx.xx sent to port $PORT
iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport $PORT -j ACCEPT
# Repeat the last command if needed, you can also specify a network, such as 192.30.252.0/22 instead of xx.xx.xx.xx
These rules are to be set in this precise order. A whitelist can be likened to a blacklist with expection.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.