Score:0

Preventing docker container from accessing internet except SSH, DNS and SMTP

th flag

I have a docker container with an SSH server, an HTTP server, and an SMTP client (that needs to resolve domain names).

Besides that, I would like to prevent the container from accessing the internet.

I use the rules from https://github.com/chaifeng/ufw-docker to avoid exposing the container ports to the internet, but that's probably another story.

Adding

ufw route deny from 172.25.0.4 to any

indeed prevents the container (internal IP 172.25.0.4, as obtained with docker inspect) from accessing the internet, and the HTTP server is still accessible.

For DNS and SMTP, seems to do the trick, added before the previous rule:

ufw route allow proto udp from 172.25.0.4 to any port 53

ufw route allow from 172.25.0.4 to any port 587

However, I am unable to get SSH (Internet -> container) to work. It connects fine without the deny rule, but as soon as it is added, the connection fails with UFW reporting blocking of ports that seem unrelated to port 22 (e.g. SPT=49733 DPT=28316).

What am I missing, and how can I allow SSH traffic to the container?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.