Blocking traffic to one of the docker service tasks (containers)

Question

There are 3 distinct vms where RabbitMQ service is deployed in global mode. My goal is to block traffic to one of the RabbitMQ service containers. Tried using iptables to Reproduce RabbitMQ network partition scenario

by adding iptables chain

iptables -A DOCKER-INGRESS -d 10.255.0.33 -p tcp --dport amqp -m state --state ESTABLISHED,RELATED -j DROP

on 2 docker nodes where RabbitMQ service task containers run. 10.255.0.33 is ip of the container from swarm overlay network taken from docker service inspect output. Though, traffic still passes through and network partition is not reproduced. How to block traffic to service container correctly?

Is it possible (in your case) to have the three distinct VMs on different networks? — Jeff Huijsmans, Aug 16 '17 at 14:17

score 0 · Accepted Answer · answered Mar 06 '19 at 09:05

Suppose you want to block traffic from/to container identified by container_id

Steps 2-3 should run inside the container.

1) Enter the container:

docker exec -it --privileged --env http_proxy=proxy_ip container_id bash

--env http_proxy=proxy_ip is not needed if you can connect to web directly and not behind some (corporate) proxy

2) This step assumes that the underlying image OS is Debian based. If it's RED-HAT based, use the yum package installer equivalent commands. If it's some other OS family, use the appropriate package installer commands.

Install iptables

apt-get update &amp;&amp; apt-get install -y iptables

3) Block traffic to/from container whose virtual ip is 10.0.0.183

iptables -A OUTPUT -d 10.0.0.183 -j DROP
iptables -A INPUT -d 10.0.0.183 -j DROP

Blocking traffic to one of the docker service tasks (containers)

1 Answers1