Block connections for connected containers to host and subnet

[bugsymaxi]

Hello,

i wonder if there is an easy way to block connected containers (--network=container:gluetun) from being able to access the host (172.17.0.1) and possibly all other containers on the same subnet. (172.17.0.0/24). This way, am trying to avoid spreading in case a connected container gets "invaded", e.g. due to a vulnerability and the host is running apps which listen on 0.0.0.0 - that would make them also accessable on 172.17.0.1.

For now, i always have to modify iptables and track states inside gluetun. Maybe it would be user friendly to add an env option to block host (and subnet) access.

Thanks & Regards

[qdm12]

A few points to verify (you or me or both):

1. I believe the container can only access the containers on the same Docker network gluetun is on. By default, it cannot reach the host ports. If this is true, then having gluetun on a separate Docker network would be a more elegant alternative perhaps?
2. If connected containers get 'invaded', I believe they don't have NET_ADMIN capability so they cannot allow themselves to talk through the firewall set by gluetun. If this is not the case, there would be little point coding this feature.

Lastly, if gluetun gets 'invaded', since it administers its firewall, there is not much point changing the firewall from within gluetun since it could just revert them. Actually, it would be quite bad overall since gluetun can even add routes to reach out other things on your network like your host. I'm working on #588 (feel free to subscribe) which would allow to have the container image based on scratch, which makes it nearly unhackable. For now it's on the latest alpine image which is already quite secured, but it still has a shell, package manager etc. which can offer an attacker more options than a 0 byte image...