I need to make sure that only HTTPS traffic comes out of a docker container.
What is the best way to restrict HTTP (or any other port) coming out of a container?
The container itself does not listen on any port. A tool inside the container makes HTTP/HTTPS requests to pull a license. I need to make sure it can only do HTTPS requests.
Is it best to block the traffic on the docker host side?
Like this:
iptables -I DOCKER-USER -i ext_if -p tcp --dport http -j REJECT
I don't want to mess up all the tables that Docker creates upon initialisation.
If you need to restrict traffic on a specific container (not on host level, not for all containers), you have to add a firewall rule in the container. Here is an example:
Run the container with the NET_ADMIN capability
docker run --rm -it --cap-add=NET_ADMIN debian
Install iptables and curl
apt update && apt install iptables curl
Add a firewall rule
ptables -A OUTPUT -p tcp --dport 80 -j DROP
Then test the rule with:
curl http://www.google.com
curl https://www.google.com