Run docker container with no access to internet

Currently reading
Run docker container with no access to internet

5
2
NAS
DS216+ II
Router
  1. RT1900ac
  2. RT2600ac
Hi All,

Synology Docker allows you to set 2 types of network interface drivers:

  • bridge: an isolated network namespace。
  • host: the same network namespace with Docker host
At the moment i'm trying to run a docker and not alloying to connect to internet.
I'm not sure if its enough to attach it to a bridge network driver or do i have to do something else to achieve that?

I have tried to run different commands after logging into the terminal of the docker container to determine if i can contact internet, but those commands weren't available.

All tips are appreciated
 
Actualy it's --network none . It is only available from the cli.
have you tried using --network no-internet?

Thanks guys i'll try that!

Is there anyway to test that the container has no connectivity to internet?

Installing net-tools doesn't seem to work?

Code:
:/# apt-get install net-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package net-tools
 
maybe jsut ping any ext. website, e.g.
ping 8.8.8.8

any lost package? 100%
-------

I like @sNASsy your idea! in fact I was think about useing one of the twin LAN ports to manage internal network system (e.g. Homebridge), SP: what's your purpose?
 
Noob-Alert!

Wow i finally found out why i couldn't install net-tools and iputils-ping. I should have done a apt-get update before trying to install the packages.
So i finally can see that my docker container has access to internet.

Now 'm trying to start the docker container through CLI but i cant get it to start.

I tried: docker run --network none host "contrainer name" but it doesnt seem to work.

Code:
Unable to find image 'host:latest' locally
docker: Error response from daemon: repository host not found: does not exist or no pull access.
See 'docker run --help'.


 
Do you mind sharing your use case with us?

Inexperienced users sometimes tend to ask the questions, they believe help to remove one obstacle after the next of what they beleve is preventing them from getting where they want.

While an experienced user might suggest a whole different approach...
 
I'm planning to run Bitwarden and Homeassisnt in Docker, and I might be a bit paranoid but i don't want these dockers to connect to internet. The Docker of Bitwarden build isn't an official build so i'm kinda wary.....
Do you mind sharing your use case with us?

Inexperienced users sometimes tend to ask the questions, they believe help to remove one obstacle after the next of what they beleve is preventing them from getting where they want.

While an experienced user might suggest a whole different approach...

I'm planning to run Bitwarden and Homeassisnt in Docker, and I might be a bit paranoid but i don't want these dockers to connect to internet. The Docker of Bitwarden build isn't an official build so i'm kinda wary.....
 
I'm planning to run Bitwarden and Homeassisnt in Docker, and I might be a bit paranoid but i don't want these dockers to connect to internet.
So you will only use BW inside your lan and VPN back into your lan from your mobile devices?
 
Last edited:
@Rusty: i feel we both missed the point: local lan is wanted, internet is not.

It might be worth inspecting, if a docker custom network can be used to leverage the Syno Firewall to whitelist specific ip ranges for outgoing traffic. I do remember from the past that people with enabled firewall managed to lock down container traffic by accident. Though, I have no idea where or how to configure it.. I never used the Syno Firewall...
 
@Rusty, @one-eyed-king

For some strange reason I can't start the docker container with the option --network non.

So I ended up creating a new network and I realized this time around that there was also an option to Disable IP Masquerade. I thought why not try that option then added the network. After that I moved my Bitwarden Docker to the new network and Voilà no more internet access. The web interface is still reachable through the local network, so this is basically the situation I wanted.

I'm still kind of puzzled why this actually worked. Networking is not my specialty so I have no idea how to explain it.
 
Great that it worked!

I would not guessed that "IP Masquarde" (~ act as a NAT Gateway) would solve the issue. Honestly, i never used it. I am always using the docker cli or embed the network configuration in the docker-compose.yml files, which to my knowledge does not provide this setting.

Seems like Syno added this for convinience. This is how the rest of the world can archive the same: Advanced Docker networking // Custom outgoing IP

A likely explanation:
The "IP Masq" setting prevents all containers in the network to send traffic to the outer world. At the same time, the container can be accessed using the published port on the host (dsm:host-port).
 
I am trying to solve a similar case:

I am going to run my nginx:stable-alpine web server in Docker, with DNAT port forwarding from my router and expose it to the Internet.
I would like to protect my lan environment from possible attackers, who can launch zero-days attacks on Nginx and take over the container.
I want to open inbound traffic to my container (HTTP get) and at the same time I want to close any outbound traffic from the container (except responses to HTTP requests).
I have tried the following to no avail:

docker network create --attachable --opt ‘com.docker.network.bridge.name=bridgetojail’ --opt ‘com.docker.network.bridge.enable_ip_masquerade=false’ bridgetojail
iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o bridgetojail -j SNAT --to-source 192.168.99.1
and added
-A INPUT_FIREWALL -p tcp -m tcp --dport 80 -j RETURN
-A INPUT_FIREWALL -p tcp -m tcp --dport 443 -j RETURN
-A INPUT_FIREWALL -s 192.168.99.1/32 -j DROP

docker run -d -p 32769:80 --network bridgetojail nginx:stable-alpine

however I can still get a response from
curl www.google.com from within my container

perplexed...
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I have no idea what you are doing, but I just tested it based on the instructions of the guide you linked...
Replies
11
Views
2,588
@one-eyed-king , I have tried your first step: sudo synogroup --add docker and encounter the following...
Replies
11
Views
30,655
Done on both my NAS'es running Docker! :) Thanks again!
Replies
9
Views
13,347
Thank you for your feedback on the matter. There is no need to break this into multiple topics considering...
Replies
30
Views
9,472
  • Locked
Locking this thread due to publish tutorial...
Replies
30
Views
13,832

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top