10:17 a.m.
Hello all,
I was wondering what was the current recommended way to restrict network
access of containers?
I'm trying to setup a web service via 'podman compose' ; I like most of
my web services (proxied through Nginx) to only have access to the lo
interface, and while for other services this is done via a systemd unit
setting I'm having trouble finding the equivalent for podman.
The following rules seem to work (I can also use -s/-d and specify the
whole IP range used by containers):
iptables -t filter -I NETAVARK_FORWARD -i podman2 ! -o lo,podman2 -j DROP
iptables -t filter -I NETAVARK_FORWARD -o podman2 ! -i lo,podman2 -j DROP
However, I'm not sure when the NETAVARK_FORWARD table is created (should
I even use this table?), and the podman2 interface also does not exist
before the network is created (when running 'podman compose up').
Is there a way to run these commands when the containers are brought up,
like some kind of pre-up script? Is there a better way of achieving what
I'm trying to do?
Thanks for your help,
François-Xavier