CODEWITHSUNDEEP
dockeriptables
kami
kami

Reputation: 81

how block docker container port with iptables?

I use docker service to setup a container network. and I just open a port 7035 for a target ip and expose it to the host.
when i check the iptables with 'iptables -nvL' I saw the FORWARD chain:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            172.18.0.2           tcp dpt:7053
1680K  119M DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1680K  119M DOCKER     all  --  *      br-287ce7f19804  0.0.0.0/0            0.0.0.0/0           
1680K  119M ACCEPT     all  --  *      br-287ce7f19804  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

and the DOCKER chain:

Chain DOCKER (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-287ce7f19804 br-287ce7f19804  0.0.0.0/0            172.18.0.2           tcp dpt:7053
    0     0 ACCEPT     tcp  --  !br-287ce7f19804 br-287ce7f19804  0.0.0.0/0            172.18.0.2           tcp dpt:7051
    0     0 ACCEPT     tcp  --  !br-287ce7f19804 br-287ce7f19804  0.0.0.0/0            172.18.0.3           tcp dpt:2181
    0     0 ACCEPT     tcp  --  !br-287ce7f19804 br-287ce7f19804  0.0.0.0/0            172.18.0.4           tcp dpt:7053
    0     0 ACCEPT     tcp  --  !br-287ce7f19804 br-287ce7f19804  0.0.0.0/0            172.18.0.4           tcp dpt:7051
    0     0 ACCEPT     tcp  --  !br-287ce7f19804 br-287ce7f19804  0.0.0.0/0            172.18.0.6           tcp dpt:7053
    0     0 ACCEPT     tcp  --  !br-287ce7f19804 br-287ce7f19804  0.0.0.0/0            172.18.0.6

AndI want to block the container 172.18.0.2, and it's port 7053. so I use the sudo iptables -I FORWARD -p tcp -d 172.18.0.2 --dport 7053 -j DROP.

But, It doesn't work. So, what should I do to block the target ip and port?

Upvotes: 6

Views: 7598

Answers (1)

Peter
Peter

Reputation: 31

The following should work:

iptables -I DOCKER 1 -p tcp --dport 7053 -j DROP

This will insert the DROP rule before all the other rules in the DOCKER chain.

The following is a useful commands well:

iptables --list DOCKER -n --line

As well, if you add -v (verbose) you get more detail

By now, you probably have your answer, but it may help others.

Upvotes: 3

Related Questions