Hi, New unraid user here.
I'm not sure, but I think I have a fairly basic setup of unraid so far, but before I start getting friends and family to use my server, I'm wanting to tighten up security.
It seems docker containers are able to talk to each other on my unraid container networks and the unraid host itself.
Here's the advanced network settings from my unraid docker tab:
Host access to custom networks:
Disabled
Preserve user defined networks:
No
However, even with those settings a container on a custom network was able to access other containers via host exposed port and the containers were able to reach other ips in my actual lan range.
I tried disabling ICC when creating the network to improve isolation, like:
docker network create -o "com.docker.network.bridge.enable_icc"="false" isonet1
docker network create --internal nonet1
I eventually got a block working by using iptables directly:
iptables -A INPUT -s 172.18.0.0/24 -d 192.168.1.0/24 -j DROP
<Thanks to:
>
What I noticed is that stops containers from accessing exposed ports on the unraid host, but doesn't stop local lan access. So a compromised container would allow an attacker to use that container to attack my router or other network devices.
So I tried:
iptables -A FORWARD -s 172.18.0.0/24 -d 192.168.1.0/24 -j DROP
Which seems to work, but also kills network access out to the internet.
I'm curious if people have suggestions on better iptables commands to block host and lan access but still allow internet access.
This would allow me to create relatively isolated networks for different container groups that I could route to with NPM.