There is a docker container running in bridge network mode. Inside the container, it creates a connection to, say, 10.123.123.1:6666. I’d like to block this connection on host through IPTABLES, something like sudo iptables -I OUTPUT -p tcp -d 10.123.123.1 -j DROP, but it doesn’t work. Could anyone help me on this please?
I can’t even see this connection on host by command netstat -an, but I can see it inside the container.
I don’t have to use IPTABLES, but I can’t change the configuration of the docker running.
Advertisement
Answer
These packets are going through INPUT & OUTPUT chains in the container’s network namespace, and not in the host’s network namespace.
All your host network namespace does is forward these packets so you need to alter the FORWARD chain with a rule similar to iptables -I FORWARD -p tcp -d 10.123.123.1 -j DROP. Bear in mind that Docker alters iptables rules which may punch holes in the firewall.