Block docker access to specific IP
I’d like my EC2 instance to have IAM-based permissions, but don’t want the docker containers on that instance to have the same permissions. I believe it should be sufficient to block access to the magic IP
169.254.169.254. Is it sufficient to run:
iptables -I DOCKER -s 169.254.169.254 -j DROP
Do I also need to configure my docker daemon with
One Solution collect form web for “Block docker access to specific IP”
Finally got this working, you need to add this rule on the host machine:
1) Drop docker bridge packets when outbound to
169.254.169.254 port 80 or 443.
sudo iptables -I FORWARD -i docker0 -d 169.254.169.254 \ -p tcp -m multiport --dports 80,443 -j DROP
Now, if I try to connect inside the container:
$ sudo docker run -it ubuntu bash root@8dc525dc5a04:/# curl -I https://www.google.com HTTP/1.1 200 OK root@8dc525dc5a04:/# curl -I http://169.254.169.254/ # <-- hangs indefinitely, which is what we want
Connections to the special IP still work from the host machine, but not from inside containers.
Note: my use case is for Google Compute Engine and prevents Docker containers from accessing the metadata server on
169.254.169.254, while still allowing DNS and other queries against that same IP. Your mileage may vary on AWS.