TechQA.

Disallow egress from Docker containers on Docker for Mac

1.4k views Asked by At

I want to disable all outgoing connections that are initiated by docker containers to the outside world. I can do this in linux by adding a rule to the FORWARD chain in linux. How do I do this in Docker for Mac?

I found out that Docker for Mac uses an xhyve vm and that’s where docker0 interface lives. What interface in the host does this connect to? I used nettop on Mac and I see that Docker uses my en0 wireless interface. But, I’m not sure if Docker and xhyve are using the same interface.

Edit: Added docker-for-windows tag because they might have similar solutions (Hoping)

Edit 2: Docker for Mac has changed so the accepted solution changed a bit

macos docker docker-for-windows docker-for-mac ipfw
Original Q&A
2

There are 2 answers

14
Matt On BEST ANSWER

Docker

$ docker run --net=host --privileged -ti alpine sh
# apk update && apk add iptables
# iptables -vnL

This and the rules could be turned into a Dockerfile and run with a -- restart option. I think on-failure might work to reapply the rules when Docker for Mac starts up.

Virtual Machine

To get to the linux VM:

mac$ brew install screen
mac$ screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty

Since the move to linuxkit, this is not your average linux host, everything's a container:

linuxkit:~# ctr -n services.linuxkit tasks ls
TASK                    PID     STATUS    
acpid                   925     RUNNING
diagnose                967     RUNNING
host-timesync-daemon    1116    RUNNING
ntpd                    1248    RUNNING
vpnkit-forwarder        1350    RUNNING
docker-ce               1011    RUNNING
kubelet                 1198    RUNNING
trim-after-delete       1303    RUNNING
vsudd                   1398    RUNNING

Use runc to move into the docker-ce (or docker) namespace

linuxkit:~# runc --root /run/containerd/runc/default exec -t docker-ce /bin/sh
docker-ce # iptables -vnL

Note that rules will disappear after a restart of Docker for Mac. I haven't found the secret sauce for persisting system changes yet.

Use ctrl-a then d to exit the screen session otherwise you will bork the terminal.

OSX

For the easy but € option, use Little Snitch and block outbound connections on OSX from com.docker.supervisor via vpnkit.

1
Yuankun On

Try Mac's pfctl command, it's kind of equivalent to iptables.

Here's man page: https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man8/pfctl.8.html

Related Questions in MACOS

Related Questions in DOCKER

Related Questions in DOCKER-FOR-WINDOWS

Related Questions in DOCKER-FOR-MAC

Related Questions in IPFW

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions