Block docker access to specific IP

I’d like my EC2 instance to have IAM-based permissions, but don’t want the docker containers on that instance to have the same permissions. I believe it should be sufficient to block access to the magic IP 169.254.169.254. Is it sufficient to run:

iptables -I DOCKER -s 169.254.169.254 -j DROP

Do I also need to configure my docker daemon with --icc=false or --iptables=false?

  • 404 when pulling a private Docker repo from Hub
  • DC/OS packages not exist
  • MESOS / MARATHON / DOCKER - Docker started is wrong & Port Forwarding
  • mvn jetty:run not reflecting changes when run inside docker
  • Where should live docker volumes on the host?
  • mount points added to the host don't show up in a running docker container
  • Docker Compose: Allow images to access host resources (like postgresql)
  • Error : “could not open session” when switch to non root user inside docker container from root user using su command
  • Extract package.json version using shell script
  • After update, can't make requests in flask running in docker but can ping
  • Cannot import lxml in python:3.4 docker container
  • Is there a way to backup my docker environment
  • One Solution collect form web for “Block docker access to specific IP”

    Finally got this working, you need to add this rule on the host machine:

    1) Drop docker bridge packets when outbound to 169.254.169.254 port 80 or 443.

    sudo iptables -I FORWARD -i docker0 -d 169.254.169.254 \
      -p tcp -m multiport --dports 80,443 -j DROP
    

    Now, if I try to connect inside the container:

    $ sudo docker run -it ubuntu bash
    root@8dc525dc5a04:/# curl -I https://www.google.com
    HTTP/1.1 200 OK
    root@8dc525dc5a04:/# curl -I http://169.254.169.254/
      # <-- hangs indefinitely, which is what we want
    

    Connections to the special IP still work from the host machine, but not from inside containers.

    Note: my use case is for Google Compute Engine and prevents Docker containers from accessing the metadata server on 169.254.169.254, while still allowing DNS and other queries against that same IP. Your mileage may vary on AWS.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.