I'm having some difficulty isolating a few Docker containers I have running on a Synology NAS. The way DSM starts and manages the Docker daemon seems to be slightly different than a standard installation, and all troubleshooting steps I've tried so far have failed.
Quick explanation of the environment:
- Docker is running on a Synology NAS under DSM 6, managed via the DSM GUI (with access to SSH for more advanced configuration)
- I have two Docker networks using the "bridge" driver
- I have two containers, each using a separate Docker network mentioned above (one container per network)
The issue I'm having is that both of those containers have access to all of the ports running on the Synology NAS, including non-Docker ports (by simply visiting the container's own gateway IP, followed by the port of a service running on the NAS). In addition, the containers are able to reach the gateway IP's of the Docker network they are not mapped to, despite being on separate subnets.
For instance, Container A has a service running on port 8080. Container A is on the 172.18.0.0/16 subnet. If I try to access 172.18.0.1:8080 from Container B, which is on the 172.19.0.0/16 subnet, I am able to do so. However, I can't access Container A directly via it's own IP address from Container B - Container A is only exposed via it's gateway IP and port.
I don't want either of the containers to communicate with anything but the Internet. I still want to allow incoming connections to ports open on those containers, so long as those connections originate from outside of the Synology NAS (and as such must pass through the inbound firewall rules I have in place).
To summarize, I want to make sure:
- Each container can not communicate with one another, or have any access to the Docker network(s) it is not assigned to
- Each container can not reach services running on ports local to the Synology NAS
- Each container can access the Internet.
- External IP's can reach ports that are exposed on either container
I've tried adding iptables rules to the DOCKER and DOCKER-ISOLATION chains, but they seem to be disregarded entirely. According to Docker's documentation, there's supposed to be a DOCKER-USER chain, which should be created as long as dockerd isn't started with --iptables set to false. Looking at Synology's Docker scripts, and daemon.json, it doesn't look like it is, so the DOCKER-USER chain should be there.
I'm sure there's something simple I'm missing here, but I'm just not sure what it is. I would be content with a few DROP rules with the IP's of the containers as the source, but the rules I've already tried don't work for some reason.
Any help is greatly appreciated!
No comments:
Post a Comment