Convox Community

How can I add a firewall rule for my containers to block an IP address?

Hello, I’m trying to prevent any SSRF security vulnerabilities in my Docker containers, so I would like to prevent them from being able to access the IP address. I think the EC2 instance does need access to this IP, to get metadata about the instance. But the Docker containers shouldn’t need any access.

Can this be configured in Convox, or in ECS?

I’ve found out that it’s possible to use iptables within a Docker container:
But I would need to run the containers with --cap-add=NET_ADMIN.

I can use privileged: true for services in convox.yml, but is there a way to just add --cap-add=NET_ADMIN?