What is the best way to restrict internet access to a single docker container while still forwarding ports?
My current way of doing this works like this:
sudo docker network create --internal --subnet 10.1.1.0/24 no-internet
sudo docker run --name gitlab -d -p 80:80 -p 822:22 --restart always gitlab/gitlab-ce
sudo docker network connect no-internet gitlab
sudo docker network disconnect bridge gitlab
The problem is that if I restart the system the ports are not forwarded anymore:
sudo docker ps
before reboot:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 13 seconds ago Up 13 seconds (health: starting) 0.0.0.0:80->80/tcp, 443/tcp, 0.0.0.0:822->22/tcp gitlab
sudo docker ps
after reboot:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2d2a062744ec gitlab/gitlab-ce "/assets/wrapper" 12 minutes ago Up 2 minutes (healthy) gitlab
So if I understand your scenario correctly, you would like to avoid sharing your host's network to your gitlab container to make sure gitlab cannot connect to the internet. At the same time you wish to share the host's network to bind a container port to your host system. It doesn't work that way, but the following might be an acceptable workaround for you: docker containers sharing the same internal network can connect to exposed/published ports of other containers on the same network.
You could follow this approach:
I quickly put this example together, hope that gets you started:
docker network create --internal --subnet 10.1.1.0/24 no-internet
docker network create internet
docker-compose.yml
:vhost.conf
:Please note the above mentioned
internet
network is actually not needed, as a docker container shares the host network by default anyway. It's just there to make things clearer.In the example depicted above, open
http://localhost/
and you will see the response of thewhoami
container, thewhoami
container itself however can't connect to the internet.You can also use
internal:true
to disable internet connectivity: