Block Docker port and access it to few IP addresses
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I need to block all INPUT traffic to port 8090 on the Ubuntu server 16.04.
I used Iptables but it did not help.
Commands I used:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
In NAT I have:Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere <VM local IP> tcp dpt:8090 to:172.21.0.2:8080
Public interface named eth0 and docker interface named docker0
linux networking iptables firewall docker
asked Aug 15 at 9:05
Pasily_V
31
add a comment |Â
up vote
0
down vote
favorite
I need to block all INPUT traffic to port 8090 on the Ubuntu server 16.04.
I used Iptables but it did not help.
Commands I used:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
In NAT I have:Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere <VM local IP> tcp dpt:8090 to:172.21.0.2:8080
Public interface named eth0 and docker interface named docker0
linux networking iptables firewall docker
asked Aug 15 at 9:05
Pasily_V
31
use -I instead of -A
– Rui F Ribeiro
Aug 15 at 9:42
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I need to block all INPUT traffic to port 8090 on the Ubuntu server 16.04.
I used Iptables but it did not help.
Commands I used:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
In NAT I have:Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere <VM local IP> tcp dpt:8090 to:172.21.0.2:8080
Public interface named eth0 and docker interface named docker0
linux networking iptables firewall docker
asked Aug 15 at 9:05
Pasily_V
31
I need to block all INPUT traffic to port 8090 on the Ubuntu server 16.04.
I used Iptables but it did not help.
Commands I used:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
In NAT I have:Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- anywhere <VM local IP> tcp dpt:8090 to:172.21.0.2:8080
Public interface named eth0 and docker interface named docker0
linux networking iptables firewall docker
linux networking iptables firewall docker
asked Aug 15 at 9:05
Pasily_V
31
asked Aug 15 at 9:05
Pasily_V
31
asked Aug 15 at 9:05
Pasily_V
31
asked Aug 15 at 9:05
Pasily_V
31
asked Aug 15 at 9:05
Pasily_V
31
31
use -I instead of -A
– Rui F Ribeiro
Aug 15 at 9:42
add a comment |Â
use -I instead of -A
– Rui F Ribeiro
Aug 15 at 9:42
use -I instead of -A
– Rui F Ribeiro
Aug 15 at 9:42
use -I instead of -A
– Rui F Ribeiro
Aug 15 at 9:42
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
0
down vote
accepted
Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.
So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):
iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP
To be sure it's actually done before any system rule, you could do:
iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP
Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.
answered Aug 20 at 17:56
A.B
3,5151721
add a comment |Â
up vote
0
down vote
about these lines:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.
regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:
docker run ... -p 8090:8080 ...
answered Aug 15 at 11:51
Hossein Vatani
46427
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.
So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):
iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP
To be sure it's actually done before any system rule, you could do:
iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP
Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.
answered Aug 20 at 17:56
A.B
3,5151721
add a comment |Â
up vote
0
down vote
accepted
Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.
So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):
iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP
To be sure it's actually done before any system rule, you could do:
iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP
Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.
answered Aug 20 at 17:56
A.B
3,5151721
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.
So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):
iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP
To be sure it's actually done before any system rule, you could do:
iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP
Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.
answered Aug 20 at 17:56
A.B
3,5151721
Because of DNAT you're now routing. Your INPUT chain isn't used anymore for this DNATed traffic and it's now the FORWARD chain that is traversed instead. The new destination is 172.21.0.2:8080 and that's what the rules should now care about, not <VM local IP>:8090 anymore.
So with DNAT in place, you should block your traffic with (in the right order: allow exception, then forbid everything else):
iptables -A FORWARD -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -A FORWARD -d 172.21.0.2 -p tcp --dport 8080 -j DROP
To be sure it's actually done before any system rule, you could do:
iptables -I FORWARD 1 -s <IP> -d 172.21.0.2 -p tcp --dport 8080 -j ACCEPT
iptables -I FORWARD 2 -d 172.21.0.2 -p tcp --dport 8080 -j DROP
Those rules as is might prevent other containers to reach this container depending on configuration, so you might have to adapt them (by stating the external input interface for example). Anyway you have to find a way to integrate this nicely with the system's method of firewall.
answered Aug 20 at 17:56
A.B
3,5151721
edited Aug 20 at 18:19
answered Aug 20 at 17:56
A.B
3,5151721
answered Aug 20 at 17:56
A.B
3,5151721
answered Aug 20 at 17:56
A.B
3,5151721
3,5151721
add a comment |Â
add a comment |Â
up vote
0
down vote
about these lines:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.
regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:
docker run ... -p 8090:8080 ...
answered Aug 15 at 11:51
Hossein Vatani
46427
add a comment |Â
up vote
0
down vote
about these lines:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.
regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:
docker run ... -p 8090:8080 ...
answered Aug 15 at 11:51
Hossein Vatani
46427
add a comment |Â
up vote
0
down vote
up vote
0
down vote
about these lines:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.
regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:
docker run ... -p 8090:8080 ...
answered Aug 15 at 11:51
Hossein Vatani
46427
about these lines:
iptables -A INPUT -p tcp --dport 8090 -j DROP
iptables -A INPUT -p tcp --dport 8090 -s <IP> -j ACCEPT
you should change order of those, because IPTables rules overwrite each other in conflict state and it is a correct way, so first correct these and check all other roles to prevent of overwriting.
regarding NAT part of your question, it is not clear, however, on docker you should assign port while you up a container:
docker run ... -p 8090:8080 ...
answered Aug 15 at 11:51
Hossein Vatani
46427
answered Aug 15 at 11:51
Hossein Vatani
46427
answered Aug 15 at 11:51
Hossein Vatani
46427
answered Aug 15 at 11:51
Hossein Vatani
46427
46427
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f462706%2fblock-docker-port-and-access-it-to-few-ip-addresses%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
use -I instead of -A
– Rui F Ribeiro
Aug 15 at 9:42