Block docker access to specific IP

I’d like my EC2 instance to have IAM-based permissions, but don’t want the docker containers on that instance to have the same permissions. I believe it should be sufficient to block access to the magic IP 169.254.169.254. Is it sufficient to run:

iptables -I DOCKER -s 169.254.169.254 -j DROP

Do I also need to configure my docker daemon with --icc=false or --iptables=false?

  • Development environment in Docker
  • Could not find sprockets-3.6.2 in any of the sources (Bundler::GemNotFound) when doing docker-compose up
  • How can i spawn a multiple instances of a container using kubernetes?
  • How to reach a linked service in docker-compose?
  • Unable to find Kubernetes apiserver's data in etcd3
  • Equivalent of using a ssh tunnel
  • Setting build args for dockerfile agent using a Jenkins declarative pipeline
  • pg_dump issue in docker
  • Dockerfile run entrypoint before shell entrypoint
  • connect robomongo to mongo instance running inside docker container
  • Printing from inside a docker container
  • How to shrink size of Docker image with NodeJs
  • One Solution collect form web for “Block docker access to specific IP”

    Finally got this working, you need to add this rule on the host machine:

    1) Drop docker bridge packets when outbound to 169.254.169.254 port 80 or 443.

    sudo iptables -I FORWARD -i docker0 -d 169.254.169.254 \
      -p tcp -m multiport --dports 80,443 -j DROP
    

    Now, if I try to connect inside the container:

    $ sudo docker run -it ubuntu bash
    root@8dc525dc5a04:/# curl -I https://www.google.com
    HTTP/1.1 200 OK
    root@8dc525dc5a04:/# curl -I http://169.254.169.254/
      # <-- hangs indefinitely, which is what we want
    

    Connections to the special IP still work from the host machine, but not from inside containers.

    Note: my use case is for Google Compute Engine and prevents Docker containers from accessing the metadata server on 169.254.169.254, while still allowing DNS and other queries against that same IP. Your mileage may vary on AWS.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.