Convox Community

How can I add a firewall rule for my containers to block an IP address?

Hello, I’m trying to prevent any SSRF security vulnerabilities in my Docker containers, so I would like to prevent them from being able to access the 169.254.169.254 IP address. I think the EC2 instance does need access to this 169.254.169.254 IP, to get metadata about the instance. But the Docker containers shouldn’t need any access.

Can this be configured in Convox, or in ECS?

I’ve found out that it’s possible to use iptables within a Docker container: https://github.com/moby/moby/issues/18230
But I would need to run the containers with --cap-add=NET_ADMIN.

I can use privileged: true for services in convox.yml, but is there a way to just add --cap-add=NET_ADMIN?