I'm running a dockerized app on an ubuntu machine. It's a test environment so I want to limit acces to a few IP addresses. I use the following iptables rules:
iptables -I DOCKER-USER -p tcp --dport 80 -j REJECTiptables -I DOCKER-USER -p tcp --dport 443 -j REJECTiptables -I DOCKER-USER -p tcp --dport 3306 -j REJECTiptables -I DOCKER-USER -s <my ip> -p tcp --dport 443 -j RETURNiptables -I DOCKER-USER -s 172.18.0.0/16 -p tcp --dport 3306 -j RETURNWorks ok to block all traffic, except it also blocks all outgoing traffic, rendering e.g. api-calls to other systems useless. How can I block all incoming traffic on 443, and also allow outgoing traffic on 443?
Best Answer
You can specify rules for the DOCKER-USER chain targeting the docker interface with -i as input and -o as output.
iptables -I DOCKER-USER -i ${docker_interface} -p tcp --dport 443 -j REJECTiptables -I DOCKER-USER -o ${docker_interface} -p tcp --dport 443 -j ACCEPTinstead of :
iptables -I DOCKER-USER -p tcp --dport 443 -j REJECTIf you're running your docker container with default bridged configuration, the ${docker_interface} should be set with bridge. If it is not the case, use the docker network ls command to retrieve it.