Restrict Internet Access - Docker Container

As found here, I got this to work with docker-compose. Save as docker-compose.yml:

version: '3'services:  outgoing-wont-work:    image: alpine    networks:      - no-internet    command: ping -c 3 google.com # will crash  internal-will-work:    image: alpine    networks:      - no-internet    command: ping -c 3 internal-and-external  internal-and-external:    image: alpine    networks:      - no-internet      - internet    command: ping -c 3 google.comnetworks:  no-internet:    driver: bridge    internal: true  internet:    driver: bridge

Then run docker-compose up -d, docker-compose ps will show something like this after a few seconds:

              Name                            Command               State    Ports----------------------------------------------------------------------------------dco_inet_internal-and-external_1   ping -c 3 google.com             Exit 0        dco_inet_internal-will-work_1      ping -c 3 internal-and-ext ...   Exit 0        dco_inet_outgoing-wont-work_1      ping -c 3 google.com             Exit 1      

Network creation for access internet

docker network create --subnet=172.19.0.0/16 internet

Network creation for block internet access

docker network create --internal --subnet 10.1.1.0/24 no-internet

If you want to connect docker container into internet

docker network connect internet container-name

If you want to block internet access

docker network connect no-internet container-name

Note

in internal network we can't expose ports to connect outside world, please refer this question for more details

Another option, if you need to expose ports on a container without internet access, but want to let it talk to other containers would be to provide a bogus DNS configuration. This isn't a perfect solution though, since it doesn't prevent direct IP access to the outside world.

docker-compose.yaml

version: '3'services:  service1:    image: alpine    command: sh -c 'ping service2 -c 1; ping google.com -c 1'    dns: 0.0.0.0  service2:    image: alpine    command: sh -c 'ping service1 -c 1; ping google.com -c 1'    dns: 0.0.0.0

isolated> docker-compose upRecreating isolated_service1_1 ... done                                                                                 Recreating isolated_service2_1 ... done                                                                                 Attaching to isolated_service2_1, isolated_service1_1service1_1  | PING service2 (172.18.0.2) 56(84) bytes of data.service1_1  | 64 bytes from isolated_service2_1.isolated_default (172.18.0.2): icmp_seq=1 ttl=64 time=0.038 msservice1_1  |service1_1  | --- service2 ping statistics ---service1_1  | 1 packets transmitted, 1 received, 0% packet loss, time 0msservice1_1  | rtt min/avg/max/mdev = 0.038/0.038/0.038/0.000 msservice2_1  | PING service1 (172.18.0.3) 56(84) bytes of data.service2_1  | 64 bytes from isolated_service1_1.isolated_default (172.18.0.3): icmp_seq=1 ttl=64 time=0.093 msservice2_1  |service2_1  | --- service1 ping statistics ---service2_1  | 1 packets transmitted, 1 received, 0% packet loss, time 0msservice2_1  | rtt min/avg/max/mdev = 0.093/0.093/0.093/0.000 msservice1_1  | ping: google.com: Temporary failure in name resolutionservice2_1  | ping: google.com: Temporary failure in name resolutionisolated_service1_1 exited with code 2isolated_service2_1 exited with code 2