Block Docker port and access it to few IP addresses

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I need to block all INPUT traffic to port 8090 on the Ubuntu server 16.04.
I used Iptables but it did not help.
Commands I used:



iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT



In NAT I have:
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere <VM local IP> tcp dpt:8090 to:172.21.0.2:8080



Public interface named eth0 and docker interface named docker0










share|improve this question





















  • use -I instead of -A
    – Rui F Ribeiro
    Aug 15 at 9:42














up vote
0
down vote

favorite












I need to block all INPUT traffic to port 8090 on the Ubuntu server 16.04.
I used Iptables but it did not help.
Commands I used:



iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT



In NAT I have:
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere <VM local IP> tcp dpt:8090 to:172.21.0.2:8080



Public interface named eth0 and docker interface named docker0










share|improve this question





















  • use -I instead of -A
    – Rui F Ribeiro
    Aug 15 at 9:42












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I need to block all INPUT traffic to port 8090 on the Ubuntu server 16.04.
I used Iptables but it did not help.
Commands I used:



iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT



In NAT I have:
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere <VM local IP> tcp dpt:8090 to:172.21.0.2:8080



Public interface named eth0 and docker interface named docker0










share|improve this question













I need to block all INPUT traffic to port 8090 on the Ubuntu server 16.04.
I used Iptables but it did not help.
Commands I used:



iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT



In NAT I have:
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere <VM local IP> tcp dpt:8090 to:172.21.0.2:8080



Public interface named eth0 and docker interface named docker0







linux networking iptables firewall docker






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 15 at 9:05









Pasily_V

31




31











  • use -I instead of -A
    – Rui F Ribeiro
    Aug 15 at 9:42
















  • use -I instead of -A
    – Rui F Ribeiro
    Aug 15 at 9:42















use -I instead of -A
– Rui F Ribeiro
Aug 15 at 9:42




use -I instead of -A
– Rui F Ribeiro
Aug 15 at 9:42










2 Answers
2






active

oldest

votes

















up vote
0
down vote



accepted










Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.



So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):



iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP


To be sure it's actually done before any system rule, you could do:



iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP


Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.






share|improve this answer





























    up vote
    0
    down vote













    about these lines:



    iptables -A INPUT -p tcp --dport 8090 -j DROP
    iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT


    you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.



    regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:



    docker run ... -p 8090:8080 ... 





    share|improve this answer




















      Your Answer







      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: false,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f462706%2fblock-docker-port-and-access-it-to-few-ip-addresses%23new-answer', 'question_page');

      );

      Post as a guest






























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      0
      down vote



      accepted










      Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.



      So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):



      iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
      iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP


      To be sure it's actually done before any system rule, you could do:



      iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
      iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP


      Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.






      share|improve this answer


























        up vote
        0
        down vote



        accepted










        Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.



        So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):



        iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
        iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP


        To be sure it's actually done before any system rule, you could do:



        iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
        iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP


        Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.






        share|improve this answer
























          up vote
          0
          down vote



          accepted







          up vote
          0
          down vote



          accepted






          Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.



          So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):



          iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
          iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP


          To be sure it's actually done before any system rule, you could do:



          iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
          iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP


          Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.






          share|improve this answer














          Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.



          So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):



          iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
          iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP


          To be sure it's actually done before any system rule, you could do:



          iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
          iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP


          Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Aug 20 at 18:19

























          answered Aug 20 at 17:56









          A.B

          3,5151721




          3,5151721






















              up vote
              0
              down vote













              about these lines:



              iptables -A INPUT -p tcp --dport 8090 -j DROP
              iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT


              you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.



              regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:



              docker run ... -p 8090:8080 ... 





              share|improve this answer
























                up vote
                0
                down vote













                about these lines:



                iptables -A INPUT -p tcp --dport 8090 -j DROP
                iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT


                you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.



                regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:



                docker run ... -p 8090:8080 ... 





                share|improve this answer






















                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  about these lines:



                  iptables -A INPUT -p tcp --dport 8090 -j DROP
                  iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT


                  you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.



                  regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:



                  docker run ... -p 8090:8080 ... 





                  share|improve this answer












                  about these lines:



                  iptables -A INPUT -p tcp --dport 8090 -j DROP
                  iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT


                  you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.



                  regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:



                  docker run ... -p 8090:8080 ... 






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Aug 15 at 11:51









                  Hossein Vatani

                  46427




                  46427



























                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f462706%2fblock-docker-port-and-access-it-to-few-ip-addresses%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?