In Linux we trust!

Docker: How to restrict external access

Want to have a Docker container without access to Internet?

I'm going to solve the above-mentioned question by modifying iptables rules. First of all let's fix a certain IP address and create a related Docker network for it:

# docker network create --subnet=172.14.0.0/16 mynet
# IP="172.14.0.1"

iptables rules that restrict Internet access for this IP:

# iptables -I DOCKER-USER -s "$IP" -m state --state NEW -j DROP

Test it:

# docker run -ti --rm --net mynet --ip "$IP" ubuntu bash
# apt-get update
Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
  Temporary failure resolving 'archive.ubuntu.com'

As you see above, no network! Don't forget to add new iptables rules to init.d scripts for network:

# iptables-save >/etc/mysql.iptables
# echo '#!/bin/sh' >/etc/network/if-up.d/iptables
# echo 'iptables-restore </etc/mysql.iptables' >>/etc/network/if-up.d/iptables
# chmod a+x /etc/network/if-up.d/iptables

What's all! I wish you all the best!