Disable access to LAN from docker container

Question

I am running Gentoo host with Ubuntu container in Docker. They communicate via bridge automatically created by Docker. I would like to drop all traffic for 192.168.0.0/16 th

Answer 1

As @DRC said, use

iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -j DROP

Nevertheless, this rule will block traffic from your local network to your container (the connection will be established but your container won't be able to respond)

To allow connections from your local network to your container, you have to add also

iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT

Answer 2

One option would be to run docker with --icc=false, preventing any container to communicate with other containers, you could then let containers communicate with each other by linking them with --link=container_name:alias. This will not block the container from communicating with the host at this time though.

You could also operate with iptables with a rule like:

iptables -A INPUT -i docker0 -d 192.168.0.0/16 -j DROP

keep in mind that a host doesn't see dropped packet coming back by icmp error, so maybe REJECT is more appropriate in most cases.

edit: correcting the rule to block the forward to other hosts:

iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -j DROP