Skip to content

local lan blocking / one way communication #17

Description

@mrpops2ko

hi im wondering if this kind of update would be something you would be interested in

so to provide an example, lets assume you have created a docker network called traefik-public and done the whole preventative container communcation for security etc

those containers because they are on the bridge docker network driver, are capable of pinging outwards - so if you have a remote desktop, or other devices in the lan then the containers are fully capable of communicating with them and under the scenario of an attacker gaining control of one of those containers they then have access to whatever resources are on your local network.

I was thinking some kind of additional variables that define what your docker host and subnet are like;
DOCKER_HOST=192.168.1.2
LAN_SCOPE=192.168.1.1/24

i think we'd need to know the docker host because we cant block that, or else the containers won't be able to communicate outwards at all and then for the lan scope it'd maybe be something like
iptables -I DOCKER-USER -s 192.168.1.1/24 -d 172.17.0.0/16 -j ACCEPT
iptables -I DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I DOCKER-USER -s 172.17.0.0/16 -d 192.168.1.1/24 -j DROP

im no good with iptables im just thinking out loud, im not even sure if thats how the networking would be because its internal docker NAT so it'd be the location of the docker host wouldn't it?

i guess another solution for this outside of the scope of trafficjam would be to slap a vlan tag on this and then centrally manage it at the firewall level instead with appropriate connectivity rules

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions