Run docker container with no access to internet

Currently reading
Run docker container with no access to internet

5
2
NAS
DS216+ II
Router
  1. RT1900ac
  2. RT2600ac
Hi All,

Synology Docker allows you to set 2 types of network interface drivers:

  • bridge: an isolated network namespace。
  • host: the same network namespace with Docker host
At the moment i'm trying to run a docker and not alloying to connect to internet.
I'm not sure if its enough to attach it to a bridge network driver or do i have to do something else to achieve that?

I have tried to run different commands after logging into the terminal of the docker container to determine if i can contact internet, but those commands weren't available.

All tips are appreciated
 

Rusty

Moderator
NAS Support
2,282
684
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Indeed that's the correct syntax. It's been a while when I needed that so was talking of the top of my head.
 
5
2
NAS
DS216+ II
Router
  1. RT1900ac
  2. RT2600ac
Actualy it's --network none . It is only available from the cli.
have you tried using --network no-internet?

Thanks guys i'll try that!

Is there anyway to test that the container has no connectivity to internet?

Installing net-tools doesn't seem to work?

Code:
:/# apt-get install net-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package net-tools
 
78
11
NAS
DS412+
maybe jsut ping any ext. website, e.g.
ping 8.8.8.8

any lost package? 100%
-------

I like @sNASsy your idea! in fact I was think about useing one of the twin LAN ports to manage internal network system (e.g. Homebridge), SP: what's your purpose?
 
5
2
NAS
DS216+ II
Router
  1. RT1900ac
  2. RT2600ac
Noob-Alert!

Wow i finally found out why i couldn't install net-tools and iputils-ping. I should have done a apt-get update before trying to install the packages.
So i finally can see that my docker container has access to internet.

Now 'm trying to start the docker container through CLI but i cant get it to start.

I tried: docker run --network none host "contrainer name" but it doesnt seem to work.

Code:
Unable to find image 'host:latest' locally
docker: Error response from daemon: repository host not found: does not exist or no pull access.
See 'docker run --help'.


 

Rusty

Moderator
NAS Support
2,282
684
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Your syntax is wrong. "host" word is detected as the name of the image. So remove that and at the end place the name of your image:version/fork, like your_image_name:latest or something like that.
 
Do you mind sharing your use case with us?

Inexperienced users sometimes tend to ask the questions, they believe help to remove one obstacle after the next of what they beleve is preventing them from getting where they want.

While an experienced user might suggest a whole different approach...
 
5
2
NAS
DS216+ II
Router
  1. RT1900ac
  2. RT2600ac
I'm planning to run Bitwarden and Homeassisnt in Docker, and I might be a bit paranoid but i don't want these dockers to connect to internet. The Docker of Bitwarden build isn't an official build so i'm kinda wary.....
Do you mind sharing your use case with us?

Inexperienced users sometimes tend to ask the questions, they believe help to remove one obstacle after the next of what they beleve is preventing them from getting where they want.

While an experienced user might suggest a whole different approach...

I'm planning to run Bitwarden and Homeassisnt in Docker, and I might be a bit paranoid but i don't want these dockers to connect to internet. The Docker of Bitwarden build isn't an official build so i'm kinda wary.....
 

Rusty

Moderator
NAS Support
2,282
684
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
I'm planning to run Bitwarden and Homeassisnt in Docker, and I might be a bit paranoid but i don't want these dockers to connect to internet.
So you will only use BW inside your lan and VPN back into your lan from your mobile devices?
 
420
149
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
So you will only use BW inside your lan and VPN back into your lan from your mobile devices?

Correct. That's our wish.

PS: sNASsy is my brother... :) . Our networks are joined together with S2S VPN by RT2600AC routers.
 

Rusty

Moderator
NAS Support
2,282
684
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Well I think there is no reason for --network none not to work. After that just bash into the container and try and access some destination.
 
Last edited:
@Rusty: i feel we both missed the point: local lan is wanted, internet is not.

It might be worth inspecting, if a docker custom network can be used to leverage the Syno Firewall to whitelist specific ip ranges for outgoing traffic. I do remember from the past that people with enabled firewall managed to lock down container traffic by accident. Though, I have no idea where or how to configure it.. I never used the Syno Firewall...
 
5
2
NAS
DS216+ II
Router
  1. RT1900ac
  2. RT2600ac
@Rusty, @one-eyed-king

For some strange reason I can't start the docker container with the option --network non.

So I ended up creating a new network and I realized this time around that there was also an option to Disable IP Masquerade. I thought why not try that option then added the network. After that I moved my Bitwarden Docker to the new network and Voilà no more internet access. The web interface is still reachable through the local network, so this is basically the situation I wanted.

I'm still kind of puzzled why this actually worked. Networking is not my specialty so I have no idea how to explain it.
 
Great that it worked!

I would not guessed that "IP Masquarde" (~ act as a NAT Gateway) would solve the issue. Honestly, i never used it. I am always using the docker cli or embed the network configuration in the docker-compose.yml files, which to my knowledge does not provide this setting.

Seems like Syno added this for convinience. This is how the rest of the world can archive the same: Advanced Docker networking // Custom outgoing IP

A likely explanation:
The "IP Masq" setting prevents all containers in the network to send traffic to the outer world. At the same time, the container can be accessed using the published port on the host (dsm:host-port).
 
13
1
NAS
ds218+
Operating system
  1. Linux
I am trying to solve a similar case:

I am going to run my nginx:stable-alpine web server in Docker, with DNAT port forwarding from my router and expose it to the Internet.
I would like to protect my lan environment from possible attackers, who can launch zero-days attacks on Nginx and take over the container.
I want to open inbound traffic to my container (HTTP get) and at the same time I want to close any outbound traffic from the container (except responses to HTTP requests).
I have tried the following to no avail:

docker network create --attachable --opt ‘com.docker.network.bridge.name=bridgetojail’ --opt ‘com.docker.network.bridge.enable_ip_masquerade=false’ bridgetojail
iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o bridgetojail -j SNAT --to-source 192.168.99.1
and added
-A INPUT_FIREWALL -p tcp -m tcp --dport 80 -j RETURN
-A INPUT_FIREWALL -p tcp -m tcp --dport 443 -j RETURN
-A INPUT_FIREWALL -s 192.168.99.1/32 -j DROP

docker run -d -p 32769:80 --network bridgetojail nginx:stable-alpine

however I can still get a response from
curl www.google.com from within my container

perplexed...
 

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top