Disable access to LAN from docker container

Question

I am running Gentoo host with Ubuntu container in Docker. They communicate via bridge automatically created by Docker. I would like to drop all traffic for 192.168.0.0/16 th

Answer 1

One option would be to run docker with --icc=false, preventing any container to communicate with other containers, you could then let containers communicate with each other by linking them with --link=container_name:alias. This will not block the container from communicating with the host at this time though.

You could also operate with iptables with a rule like:

iptables -A INPUT -i docker0 -d 192.168.0.0/16 -j DROP

keep in mind that a host doesn't see dropped packet coming back by icmp error, so maybe REJECT is more appropriate in most cases.

edit: correcting the rule to block the forward to other hosts:

iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -j DROP