The rule I used is: iptables -A INPUT -source 10.125.0.0/16 -destination 10.125.0.1 -j ACCEPT. This means that attaching a container to this network (or do you attach a network to a container? 🤔) I can reverse proxy from the host! The idea is that I can now create an explicit iptables rule for this network, allowing access from the local machine to the containers in that network. In order to solve this, I created a new network “ingress”, that I can attach containers to: docker network create -ip-range 10.125.0.0/16 -subnet=10.125.0.0/16 ingress.
Unfortunately, doing this, meant that I also couldn’t connect to the docker container from the host for, e.g., reverse proxying. Luckily, the docker documentation on iptables 1 gives us a way to fix that: iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP. Adding docker in the mix is a bit weird, because it does a lot magic with iptables that was a bit above my comfort-level (I’m a programmer, not a network-administrator!) The main thing that it does is open all the ports to all dockers that expose ports.
I based it on iptables, and that has been running well for a long time. This would provide better segmentation of responsibilities, even though it would cost a bit more resources on the machines.Ä«ecause the VPS is directly connected to the net, it has a firewall.
Recently, I wanted to move some services that I’m running on my home server and in a VPS to docker containers.
0 kommentar(er)
