How to Restrict Outbound Traffic on a Docker Infrastructure

  • docker, in order to achieve all its networking black magic, uses iptables and overrides your firewall
  • restricting all outbound traffic is easy but letting through legit outbound connections (for instance, connections to this external API we need) is not easy since most firewalls work with IP addresses but not DNS domain names. This means that to whitelist outbound connections based on domain, you would need to keep up-to-date a list of IP adresses that match with your allowed domains, and refresh your firewall configuration periodically
  • block all outbound connections on the server with your firewall (ufw). This will not be enforced inside Docker containers but it’s still useful on the host.
  • in your docker-compose.yml, put the docker containers in an internal restricted network, so that they have no access to the internet
  • for each allowed domain you want to be able to connect to from inside a docker container, add a nginx container in your docker-compose.yml that will act as a proxy for this specific domain, put this container inside the internal restricted docker network AND in a docker network with access to the internet + link it to other containers under the domain name in question + configure nginx so that it forward everything to the domain name in question only

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store