Really hard to lockdown docker instances, this is the easiest way I have found.
Permit access from LAN networks and individual IP's externally
ipset -N minecraft iphash
ipset -A minecraft 192.168.1.0/24
ipset -A minecraft 172.16.0.0/24
ipset -A minecraft 125.238.106.4 # Daniel
iptables -I DOCKER-USER -p tcp --dport 25565 -m set ! --match-set minecraft src -j DROP
iptables -I DOCKER-USER -p udp --dport 19132 -m set ! --match-set minecraft src -j DROP
This is all added to a script that runs when the interfaces come up.
iptables -L DOCKER-USER
ipset list minecraft
References:
https://wiki.archlinux.org/index.php/Ipset
https://vmalli.com/managing-custom-iptables-rules-on-a-debian-docker-host/
No comments:
Post a Comment