How can I add a firewall rule for my containers to block an IP address?

nathan.f77 · April 24, 2020, 8:57pm

Hello, I’m trying to prevent any SSRF security vulnerabilities in my Docker containers, so I would like to prevent them from being able to access the 169.254.169.254 IP address. I think the EC2 instance does need access to this 169.254.169.254 IP, to get metadata about the instance. But the Docker containers shouldn’t need any access.

Can this be configured in Convox, or in ECS?

nathan.f77 · April 25, 2020, 8:43am

I’ve found out that it’s possible to use iptables within a Docker container: https://github.com/moby/moby/issues/18230
But I would need to run the containers with --cap-add=NET_ADMIN.

I can use privileged: true for services in convox.yml, but is there a way to just add --cap-add=NET_ADMIN?

Topic		Replies	Views
Disabling EC2 instance public IPV4 addresses Rack (Version 2)	1	82	January 24, 2024
Disabling port 80 Rack (Version 2)	3	148	August 15, 2023
Enabling Container insights on Rack V2 Rack (Version 2)	1	191	December 29, 2022
Could it support 'clusterIP: None', aka k8s headless services? Rack (Version 3)	1	465	December 24, 2020
Directly disabling public ACLs and bucket policies in AWS console? Rack (Version 2)	0	393	February 18, 2019

How can I add a firewall rule for my containers to block an IP address?

Related Topics