Block docker access to specific IP

I’d like my EC2 instance to have IAM-based permissions, but don’t want the docker containers on that instance to have the same permissions. I believe it should be sufficient to block access to the magic IP Is it sufficient to run:

iptables -I DOCKER -s -j DROP

Do I also need to configure my docker daemon with --icc=false or --iptables=false?

  • How to git install instead of pip install?
  • Docker container port issue
  • How to isolate docker containers from other users
  • Dockerfile - How to pass an answer to a prompt post apt-get install?
  • Is it ok to run docker from inside docker?
  • “update --memory” can not work
  • How to change the version of Ruby in a Docker image (replace 2.2.0 with 2.0.0 )
  • Ubuntu 16.10 in Docker 1.12 claims there is no socket for MySQL
  • How to deal with temporary apt-key adv failures?
  • regex string doesn't seem to work in ELK stack
  • Unmet Peer dependency issue when running node in docker
  • Caching a single file on Travis CI
  • One Solution collect form web for “Block docker access to specific IP”

    Finally got this working, you need to add this rule on the host machine:

    1) Drop docker bridge packets when outbound to port 80 or 443.

    sudo iptables -I FORWARD -i docker0 -d \
      -p tcp -m multiport --dports 80,443 -j DROP

    Now, if I try to connect inside the container:

    $ sudo docker run -it ubuntu bash
    root@8dc525dc5a04:/# curl -I
    HTTP/1.1 200 OK
    root@8dc525dc5a04:/# curl -I
      # <-- hangs indefinitely, which is what we want

    Connections to the special IP still work from the host machine, but not from inside containers.

    Note: my use case is for Google Compute Engine and prevents Docker containers from accessing the metadata server on, while still allowing DNS and other queries against that same IP. Your mileage may vary on AWS.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.