There are several docker containers on my server, exposing ports. Now I try to restrict the access to the ports to IP-Adresses being able to insert rules without allowing the policy. I apply IP-Tables rules programmatically on a dotnet application, also running inside a container on the host but on the host instead of a bridge network. So the following are the rules applied on start of the application
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
Then i will remove all DOCKER-USER rules but the RETURN rule and apply the following
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Then i add all needed ports for webinterfaces etc. and in the scenario that there were established connections, rules for all those (they are stored in a database)
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2376 -j ACCEPT
iptables -A DOCKER-USER -p tcp -m conntrack --ctorigsrc {my_ip} -m tcp --dport 5000 -j ACCEPT
iptables -A INPUT -p tcp -s {my_ip} --dport 5000 -j ACCEPT
Then i drop the INPUT and FORWARD chain. So far so good.
Now i need to limit the connection to a single ip and be able to dynamically remove and add rules for IPs. I tried appending and inserting rules for INPUT and DOCKER-USER as the above but neither appending nor inserting it will limit the connection to the ip, there is always either all or no clients able to connect to the port.
Does someone see what I'm missing on?
