Block docker access to specific IP

I’d like my EC2 instance to have IAM-based permissions, but don’t want the docker containers on that instance to have the same permissions. I believe it should be sufficient to block access to the magic IP 169.254.169.254. Is it sufficient to run:

iptables -I DOCKER -s 169.254.169.254 -j DROP

Do I also need to configure my docker daemon with --icc=false or --iptables=false?

  • How can I start a Docker container on boot in OS X?
  • docker push - access not authorized
  • how to create docker restricted network
  • Running 'docker-compose up' raises “No module named fnctl” error on Windows
  • Nginx and Node.js - Utilizing server to fullest
  • How to launch a docker bundle with specified exposed ports?
  • rg.apache.spark.SparkException: Invalid master URL: spark://tasks.501393358-spark-master:7077
  • Docker login auth token
  • Why am I not seeing higher concurrent requests when increasing nodes/pods on a simple NGINX docker cluster?
  • nginx default_site doesn't appear to be working
  • docker proxy pull windows 10
  • Can I build a Docker image to “cache” a yocto/bitbake build?
  • One Solution collect form web for “Block docker access to specific IP”

    Finally got this working, you need to add this rule on the host machine:

    1) Drop docker bridge packets when outbound to 169.254.169.254 port 80 or 443.

    sudo iptables -I FORWARD -i docker0 -d 169.254.169.254 \
      -p tcp -m multiport --dports 80,443 -j DROP
    

    Now, if I try to connect inside the container:

    $ sudo docker run -it ubuntu bash
    root@8dc525dc5a04:/# curl -I https://www.google.com
    HTTP/1.1 200 OK
    root@8dc525dc5a04:/# curl -I http://169.254.169.254/
      # <-- hangs indefinitely, which is what we want
    

    Connections to the special IP still work from the host machine, but not from inside containers.

    Note: my use case is for Google Compute Engine and prevents Docker containers from accessing the metadata server on 169.254.169.254, while still allowing DNS and other queries against that same IP. Your mileage may vary on AWS.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.