12:52 p.m.
Hello François-Xavier,
I can't speak to best practices or broadly acceptable recommendations, but below is
what I would try.
For each container that doesn't need to talk to any other container, set
`network_mode: none` for that container's entry in the `services:` top-level element.
Please note that I haven't personally tried combining `network_mode: none` with
`ports:` within the same container, so if that doesn't work as I described that may be
my fault.
For each container that needs to talk to another container, define a network in the
`networks:` top-level element with `internal: true` set for it. In each container's
entry in the `services:` top-level element, include that network in `networks:`.
In either case, these should prevent the default behaviour of attaching containers to the
default network, which is what normally gives broad outbound network access to containers.
No iptables commands should be needed.
If you only want the containers' exposed ports to be accessible on the machine running
the containers, specify 127.0.0.1 in addition to the port(s) themselves in each
container's `ports:` section (syntax here:
https://github.com/compose-spec/compose-spec/blob/master/05-services.md#p...).
For syntax and extra options, I would look here:
https://github.com/compose-spec/compose-spec/blob/master/spec.md
Cheers,
-Keith
On Wednesday, July 10th, 2024 at 7:46 PM, François-Xavier Thomas
<fx.thomas(a)gmail.com> wrote:
>
>
> Hello all,
>
> I was wondering what was the current recommended way to restrict network
> access of containers?
>
> I'm trying to setup a web service via 'podman compose' ; I like most of
> my web services (proxied through Nginx) to only have access to the lo
> interface, and while for other services this is done via a systemd unit
> setting I'm having trouble finding the equivalent for podman.
>
> The following rules seem to work (I can also use -s/-d and specify the
> whole IP range used by containers):
>
> iptables -t filter -I NETAVARK_FORWARD -i podman2 ! -o lo,podman2 -j DROP
> iptables -t filter -I NETAVARK_FORWARD -o podman2 ! -i lo,podman2 -j DROP
>
> However, I'm not sure when the NETAVARK_FORWARD table is created (should
> I even use this table?), and the podman2 interface also does not exist
> before the network is created (when running 'podman compose up').
>
> Is there a way to run these commands when the containers are brought up,
> like some kind of pre-up script? Is there a better way of achieving what
> I'm trying to do?
>
> Thanks for your help,
> François-Xavier
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io