Score:-2

Server

Block access to docker for a specific IP address

birgersp

2/8/24, 2:12 PM

Trying to do this:

iptables -A INPUT -s (some-ip-address) -j DROP

But the ip address still connects to a application running in a docker service. I suspect this is because docker bypasses the firewall.

How can I block the IP address?

Edit, clarification:

I have docker running on a server. I have a PC that connects to one of the services running on the server. The PC needs to be blocked from connecting.

311

1 + 6

ubuntu

iptables

docker

Zareh Kasparian

2/8/24, 2:17 PM

do you mean the container running on docker engine? or the docker itself?

Gerald Schneider

2/8/24, 2:44 PM

`-D` is deleting a rule, not adding one. You need to insert the rule at the correct position.

birgersp

2/9/24, 7:58 AM

@ZarehKasparian I mean block an IP from connecting to the host where docker is running. I'll update my question to clarify.

birgersp

2/9/24, 7:58 AM

@GeraldSchneider sorry I messed up when copying from the command history. I have updated the question.

Gerald Schneider

2/9/24, 8:00 AM

The statement is the same. You need to insert the rule at the correct position. Appending it to the end of course doesn't work.

birgersp

2/9/24, 8:03 AM

I was following this "tutorial": https://www.cyberciti.biz/faq/how-do-i-block-an-ip-on-my-linux-server/. Okay, so `-I` will make the rule work? Rules at the "beginning" take precedence?

Score:0

Server

BMitch

2/9/24, 12:01 PM

Probably several things happening. You are appending the rule (-A) which means the docker rules may have already accepted the packet. You are applying to the INPUT table, and there's a DOCKER-USER table designated for these rules. And if you try to do port filtering, the NAT rules will likely break your logic. Here's an example that inserts a rule at the top of the DOCKER-USER table to drop traffic on a specific interface that isn't from an approved subnet to a specific port:

iptables -I DOCKER-USER -i eth0 ! -s 10.0.0.0/24 -p tcp \
  -m conntrack --ctorigdstport 8080 -j DROP

+ 4

birgersp

2/9/24, 12:05 PM

Care to explain the flags here? Why would I want to specify interface, tcp, port when I want to block all traffic from the IP?

BMitch

2/9/24, 1:25 PM

@birgersp The above is an example with all the options, and you can pick which ones make sense for you. I've come across too many questions that omit details that dramatically change the answer, so I just provide everything and you can ignore the parts that don't apply to your scenario.

birgersp

2/9/24, 2:22 PM

That doesn't make sense to me but okay. Thanks for the example. The conclusion is that I should remove the `-A` and use `-I` and `DOCKER-USER` arguments to the iptables command?

BMitch

2/9/24, 4:18 PM

@birgersp If all you're blocking is a single IP, then yes.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Block access to docker for a specific IP address

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.