![docker mac address web traffic blocked docker mac address web traffic blocked](https://venturebeat.com/wp-content/uploads/2019/06/shopify-multi-currency.png)
All traffic not directed to the IP is accepted(Could be directed to the host itself or other interfaces in the host machine). In this config, ARP, ICMP(ping) and HTTP/HTTPS is accepted, all other traffic to IP 192.168.30.10 is dropped. Ip daddr 192.168.30.10 tcp dport accept # Accept HTTP/HTTPS traffic Ip daddr 192.168.30.10 icmp type echo-request accept # Accept ICMP(ping) requests Ip daddr 192.168.30.10 ether type arp accept # Accept ARP requests Type filter hook ingress device ens33 priority 0 policy accept Be aware that this table/chain will "see" ALL packets in the NIC, which a incorrect rule will block you out. To use nftables to filter packets to the containers, you need to use table netdev and chain ingress. Setup is the same, except that we don't need the bridge anymore:ĭocker network using the ens33 interface instead br0: docker network create -d macvlan -subnet=192.168.30.0/24 -gateway=192.168.30.254 -o parent=ens33 macvlan0 In this Edit I updated the original post(preserved) to reflect the nftables use, which resulted in a better solution also faster(See comment es0dieh ) User has warned about the (ip|eb|arp)tables deprecation. The only thing that bothers me is the ebtables management, but I can live with it. What do you guys think about it? Too cumbersome? The container will be available in the subnet using IP 192.168.30.10, and access to it can be managed using ebtables:īlocking a port: ebtables -t nat -I PREROUTING -i ens33 -p ip -ip-protocol tcp -ip-destination-port 22 -j DROPĪllowing only some ports, like 80 and 443: ebtables -t nat -A PREROUTING -i ens33 -p ip -ip-protocol tcp -ip-destination 192.168.30.10 -ip-destination-port 80 -j ACCEPTĮbtables -t nat -A PREROUTING -i ens33 -p ip -ip-protocol tcp -ip-destination 192.168.30.10 -ip-destination-port 443 -j ACCEPTĮbtables -t nat -A PREROUTING -i ens33 -p ip -ip-protocol tcp -ip-destination 192.168.30.10 -j DROP Then, created a Docker network using macvlan and the bridge, ens33 as the parent interface: docker network create -d macvlan -subnet=192.168.30.0/24 -gateway=192.168.30.254 -o parent=br0 macvlan0Ĭontainers can be created by issuing: docker run -rm -ti -network macvlan0 -ip 192.168.30.10 alpine:latest /bin/ash
Docker mac address web traffic blocked manual#
etc/network/interfaces iface ens33 inet manual My network is 192.168.30.0/24.įirst I configured the interface to be slave of a bridge: In this post, I'm using a bridge + macvlan + ebtables.ĭebian 10, interface ens33 is my ethernet interface. In the first post I wanted to use UFW to firewall my containers, but I had some problems with some applications like TFTP. What I want to accomplish is: Provide my containers with an IP in my subnet and firewall it from the host machine. I made some tests and created a setup I'm satisfied with but would like to get some feedback about possible drawbacks.
![docker mac address web traffic blocked docker mac address web traffic blocked](https://support.keriocontrol.gfi.com/hc/article_attachments/360019758900/reverse_proxy_http.png)
Well, this is a followup of my last post, regarding Docker container in the subnet + Firewalling( Each container with an IP + UFW, how you guys handle it?)