Description
Restricting access to services on public accessible servers is important.
Docker’s forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, to restrict external access such that only source IP 8.8.8.8 can access the containers, the following rule could be added:
$ iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
I would like to see some more details when running multiple servers with multiple services on each:
-
How to restrict access to multiple IPs?
Use case: database cluster where 3 servers connect to each other -
How to restrict one service/port and leave others open?
Use case: one server with public web server and restricted database (clustered, not "linking")
It would be great if you could provide simple iptables examples.
File: engine/userguide/networking/default_network/container-communication.md, CC @mstanleyjones