Score:2

Centos Docker iptables block all traffics except domain

sg flag

I’m trying to block all outgoing traffic from iptables for docker’s interface docker0. But I would like to open the access for a few domains:

How can I do that?

I tried that:

iptables -I OUTPUT -o docker0 -j DROP 
iptables -I DOCKER -i docker0 -p udp --dport 53 -j ACCEPT 
iptables -I DOCKER -i docker0 -p tcp -d mydomain.com --dport 80 -j ACCEPT 
iptables -I DOCKER -i docker0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Score:0
za flag

This is impossible. iptables control the Netfilter, which is an IP packet filter (a firewall) that acts on OSI level 3 and 4. DNS domain names are higher level (and somewhat orthogonal) thing than that.

You may control access to some IP addresses (L3) and TCP/UDP ports (L4) with Netfilter.

If you want to control access to web sites, you have the following options:

  • resolve DNS name in advance, get IP addresses and put that into the firewall. AFAIK iptables is doing that itself when you give it a domain name; the thing it configures inside the Netfilter is resolved IP address for that name. When the owner of that domain decide to change IP address, your rule won't apply anymore. If there is more than one web site hosted on that server which has this IP address (i.e. there is a virtual hosting which hosts several names), you will either permit them altogether or disable them altogether. This is what you seem to be doing right now;
  • a HTTP(s) proxy, which checks requested domain names and forbids access to some. Modern inventions like ECH (eSNI) will reduce your power down to only control access to IP ranges, as with plain firewall, because it makes it impossible for you to get out which hostname was requested;
  • a DNS filtering, which configures which domains your recursive resolver will resolve for clients and which ones won't. Again, modern inventions like DNS-over-HTTP (by Cloudflare), will infer your power to do that, because your DNS server will no longer be responsible for resolving names and you can't possibly know which hostname was requested;
  • A deep packet inspection (DPI). And again, modern Internet is clearly going towards disabling the possibility to inspect traffic by third parties.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.