Last active
June 11, 2026 06:02
-
-
Save torgeir/855257cab3bcf43565b11d34140196a3 to your computer and use it in GitHub Desktop.
Do not rely on this: Filter network with iptables in docker compose setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # usage: | |
| # docker compose up -d | |
| # docker compose run app bash | |
| # | |
| # try it: | |
| # root@0e4a01131864:/# timeout 5s curl https://nrk.no && echo worked || echo failed | |
| # failed | |
| # | |
| # root@0e4a01131864:/# dig nrk.no | |
| # | |
| # ; <<>> DiG 9.18.39-0ubuntu0.24.04.5-Ubuntu <<>> nrk.no | |
| # ;; global options: +cmd | |
| # ;; Got answer: | |
| # ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48773 | |
| # ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 | |
| # | |
| # ;; OPT PSEUDOSECTION: | |
| # ; EDNS: version: 0, flags:; udp: 65494 | |
| # ;; QUESTION SECTION: | |
| # ;nrk.no. IN A | |
| # | |
| # ;; ANSWER SECTION: | |
| # nrk.no. 13 IN A 91.135.34.66 | |
| # nrk.no. 13 IN A 91.135.34.26 | |
| # | |
| # ;; Query time: 0 msec | |
| # ;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP) | |
| # ;; WHEN: Wed Jun 10 10:32:51 UTC 2026 | |
| # ;; MSG SIZE rcvd: 67 | |
| services: | |
| firewall: | |
| image: ubuntu:24.04 | |
| cap_add: | |
| - NET_ADMIN | |
| command: > | |
| bash -c ' | |
| apt-get update && | |
| apt-get install -y iptables && | |
| # Default deny | |
| iptables -P INPUT DROP | |
| iptables -P OUTPUT DROP | |
| iptables -P FORWARD DROP | |
| # Allow loopback | |
| iptables -A INPUT -i lo -j ACCEPT | |
| iptables -A OUTPUT -o lo -j ACCEPT | |
| # Allow established connections | |
| iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Allow DNS to Cloudflare only | |
| iptables -A OUTPUT -p udp -d 1.1.1.1 --dport 53 -j ACCEPT | |
| iptables -A OUTPUT -p tcp -d 1.1.1.1 --dport 53 -j ACCEPT | |
| sleep infinity | |
| ' | |
| app: | |
| build: . | |
| network_mode: "service:firewall" | |
| depends_on: | |
| - firewall |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM ubuntu:24.04 | |
| RUN apt-get update && apt-get install -y \ | |
| curl \ | |
| dnsutils \ | |
| iputils-ping \ | |
| netcat-openbsd \ | |
| && rm -rf /var/lib/apt/lists/* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment