Docker expose a port of a container but restrict network access

Eric Stdlib

2/3/23, 12:18 AM

I have a server A, and it runs a container B (say an SSH server). I want to allow people doing some computation on B that does not access the network.

Using docker run --publish=${MY_PORT}:22 ..., I expose container B's port to allow people to connect into B. This way people can ssh into B using A's ${MY_PORT} port. However, people can initiate TCP connections to other servers (e.g. 8.8.8.8), so they can use server A a jump host to do bad things.

Is it possible to isolate container B's network? That is, only allow access to the published port, and deny all other network traffic. I am thinking of something similar to --network=none --publish=${MY_PORT}:22. Is it possible to achieve this without editing Docker's iptables?

103

0 + 0

docker

docker-networking

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Docker expose a port of a container but restrict network access

TH: นักเทียบท่าเปิดเผยพอร์ตของคอนเทนเนอร์ แต่จำกัดการเข้าถึงเครือข่าย

RO: Docker expune un port al unui container, dar restricționează accesul la rețea

RU: Docker предоставляет порт контейнера, но ограничивает доступ к сети

VI: Docker hiển thị một cổng của vùng chứa nhưng hạn chế quyền truy cập mạng

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.