Leverage iptables to drop packets between docker containers

Question

I have three containers C1, C2 and C3, forming a cluster, and a DNS instance running. The containers resolve their IPs using the DNS and already can communicate with each other as they expose the needed ports using vanilla docker configuration.

How can I leverage iptables from the host to drop packets between say C1 and C2 at any point in time?

Answer 1

It's not clear from your question exactly what your goal is, so here are a few options.

Disabling ICC

If you run the Docker daemon with --icc=false, then containers will by default not be able to communicate unless you explicitly link them with --link.

If you follow this route, note this issue (tl;dr: you must ensure that the br_netfilter module is loaded on recent kernels).

Modifying iptables inside a container

You can use the nsenter tool to run iptables commands inside a container and add DROP rules to the INPUT chain of the container. For example, if you know (a) the PID of container C1 and (b) the ip address of container C2 (both of which you can get with docker inspect), you could run:

nsenter -t <pid_of_C1> --net iptables -A INPUT -s <ip_of_c2> -j DROP

Modifying iptables on the host

You can modify the FORWARD chain on your host to block traffic between particular containers. For example, to drop packets from C1 to C2:

iptables -I FORWARD 1 -s <ip_of_c1> -d <ip_of_c2> -j DROP

This insert the above rule at position 1 (-I FORWARD 1) of the FORWARD table. This is necessary because it must come before the -i docker0 -o docker0 -j ACCEPT rule that Docker will add to the FORWARD chain when --icc=true, which is the default.