Docker network security/isolation with iptables?

[DizRD]

Hi, New unraid user here.

I'm not sure, but I think I have a fairly basic setup of unraid so far, but before I start getting friends and family to use my server, I'm wanting to tighten up security.

 

It seems docker containers are able to talk to each other on my unraid container networks and the unraid host itself.

Here's the advanced network settings from my unraid docker tab:

Host access to custom networks:

Disabled

Preserve user defined networks:

No

 

However, even with those settings a container on a custom network was able to access other containers via host exposed port and the containers were able to reach other ips in my actual lan range.

 

I tried disabling ICC when creating the network to improve isolation, like:

docker network create -o "com.docker.network.bridge.enable_icc"="false" isonet1
docker network create --internal nonet1

 

I eventually got a block working by using iptables directly:

iptables -A INPUT -s 172.18.0.0/24 -d 192.168.1.0/24 -j DROP

<Thanks to: 

>

What I noticed is that stops containers from accessing exposed ports on the unraid host, but doesn't stop local lan access. So a compromised container would allow an attacker to use that container to attack my router or other network devices.

 

So I tried:

iptables -A FORWARD -s 172.18.0.0/24 -d 192.168.1.0/24 -j DROP

Which seems to work, but also kills network access out to the internet.

 

I'm curious if people have suggestions on better iptables commands to block host and lan access but still allow internet access.

This would allow me to create relatively isolated networks for different container groups that I could route to with NPM.

 

[bonienl]

The way to make this work properly is to define different custom networks.

A custom network is by design a isolated environment and only members in this custom network can talk to each other.

Also by design docker containers in a custom network can not communicate with the host (Unraid server), though there is a setting to bypass this restriction (not recommended)

 

Custom networks are either assigned to different physical ethernet ports or different VLANs (virtual networks). This ensures traffic between custom networks is never shared, but completely segregated.

 

[DizRD]

Your first paragraph was what I was trying to communicate wasn't true in my case.

 

That being said, I didn't setup the custom networks with different physical ethernet ports. Do you have link(s) to share or would searching with "custom network" "physical ethernet ports" be the next best choice?

[SggCnn93]

On 2/23/2022 at 11:55 AM, bonienl said:

Custom networks are either assigned to different physical ethernet ports or different VLANs (virtual networks). This ensures traffic between custom networks is never shared, but completely segregated.

 

 

Sorry for digging up an old post but I'm trying to do exactly this and I can't find any info on how to do it.

How can I assign a custom network to a different physical port?

After creating the network with "docker network create XXXX" I can't find a way to route it through eth1/br1 instead of eth0/br0.

 

On Discord someone suggested to change the iptables but if there was an "easier" and more "permanent" way to do this it would be great.

 

Ty very much for the help!

Edited December 2, 2022 by SggCnn93

[Timoh94]

On 12/3/2022 at 12:17 AM, SggCnn93 said:

 

Sorry for digging up an old post but I'm trying to do exactly this and I can't find any info on how to do it.

How can I assign a custom network to a different physical port?

After creating the network with "docker network create XXXX" I can't find a way to route it through eth1/br1 instead of eth0/br0.

 

On Discord someone suggested to change the iptables but if there was an "easier" and more "permanent" way to do this it would be great.

 

Ty very much for the help!

Hey
I want the same

Is there something new?

 

[SggCnn93]

On 12/7/2022 at 11:14 AM, Timoh94 said:

Hey
I want the same

Is there something new?

 

 

Opened a new thread to ask about this but couldn't find a solution even after trying a lot of things, ended up solving my problem in a different way but would still like to know if this works or not. Was hoping @bonienl could answer this for us 

[DizRD]

So yea, I had to figure out what Bonienl was talking about.. Maybe there is a better way, but I had to get a Smart switch that supports vlans, and create a VLAN, attach a network adapter to the VLAN port on the switch and then I attached the relevant docker network to the vlan.. It works.. but it's a pain to setup. Networking in Kubernetes would be easier, but I know that's not officially supported. Ultimately with my time in unraid while I love it as a storage device/internal app server, I wouldn't trust the isolation provided by docker and vlans at the moment for public internet facing apps.. But that's just me as a security person. I'm probably just going to setup a fedora server with kubernetes for any public internet facing apps.