I have a lesser restriction in my case where I open up certain port numbers in all containers. The containers communicate with each other by using the host IP and the exposed port number.
In my case, on top connecting to the custom network, I also connect the containers to the default bridge network. The default network does not allow communication between the containers.
Then in iptables, I create a new pipeline and pipe docker0 (the bridge network) to it
-F FILTERS
-A DOCKER-USER -i docker0 -o docker0 -j FILTERS
And allow the whitelisted port numbers
-A FILTERS -p tcp --dport 1234 -m state --state NEW -j ACCEPT -m comment --comment container1
-A FILTERS -p tcp --dport 5678 -m state --state NEW -j ACCEPT -m comment --comment container2
You can try tightening the restriction, by
- not connecting the default
bridge network
- finding the network interface of
net1 and net2 via ip link show and ifconfig
- changing the pipeline to
-F CONTAINER1-CONTAINER2
-F CONTAINER2-CONTAINER1
-A DOCKER-USER -i br-xxxx -o br-yyyy -j CONTAINER1-CONTAINER2
-A DOCKER-USER -i br-yyyy -o br-xxxx -j CONTAINER2-CONTAINER1
- Modifying the port list to
-A CONTAINER2-CONTAINER1 -p tcp --dport 1234 -m state --state NEW -j ACCEPT -m comment --comment container1
-A CONTAINER1-CONTAINER2 -p tcp --dport 5678 -m state --state NEW -j ACCEPT -m comment --comment container2
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
