selfhostyourtech/network-filter
2
0
Fork 0
mirror of https://github.com/Monadical-SAS/network-filter.git synced 2025-12-20 04:09:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
4 Commits 1 Branch 5 Tags
735d0a41b10f7d271c5b4eab91e662d0a259e7b4
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Mathieu Virbel 735d0a41b1 fix: changes the image name to match docker
2025-07-30 15:58:36 -06:00
.github/workflows
feat: also update docker hub description
2025-07-30 15:38:06 -06:00
.pre-commit-config.yaml
feat: first version
2025-07-30 12:25:34 -06:00
docker-compose.yml
feat: first version
2025-07-30 12:25:34 -06:00
Dockerfile
feat: first version
2025-07-30 12:25:34 -06:00
LICENSE
feat: first version
2025-07-30 12:25:34 -06:00
network-filter.sh
feat: first version
2025-07-30 12:25:34 -06:00
README.md
fix: changes the image name to match docker
2025-07-30 15:58:36 -06:00

README.md

network-filter

A lightweight Docker container that provides network filtering capabilities using iptables and dnsmasq. It restricts outbound network access to an allowlist of domains, making it useful for creating secure network environments where containers should only communicate with specific external services.

How it works

The network-filter uses a combination of:

  • iptables: Drops all outbound traffic by default, then allows only specific IP addresses resolved from allowed domains
  • dnsmasq: Acts as a local DNS server that only resolves allowed domains
  • Dynamic IP resolution: Periodically refreshes IP addresses for allowed domains to handle DNS changes

The filter operates at the network level, meaning any container that shares its network namespace will inherit these restrictions.

Usage

Basic usage

docker run --cap-add NET_ADMIN \
  -e ALLOWED_DOMAINS="github.com,api.github.com" \
  monadicalsas/network-filter

Docker Compose

To restrict a container's network access, use Docker's network_mode to share the network-filter's network namespace.

This ensures the container can only access domains specified in ALLOWED_DOMAINS.

services:
  network-filter:
    image: monadicalsas/network-filter:latest
    cap_add:
      - NET_ADMIN
    environment:
      - ALLOWED_DOMAINS=github.com,api.github.com

  my-app:
    image: my-app:latest
    network_mode: "service:network-filter"

Configuration

Environment Variable Description Default
ALLOWED_DOMAINS Comma-separated list of allowed domains with optional port specifications (none - required)
DNS_SERVERS Comma-separated list of upstream DNS servers 8.8.8.8,8.8.4.4
REFRESH_INTERVAL How often to refresh domain IP addresses (seconds) 300
RUN_SELFTEST Run connectivity tests on startup false

Domain and port specification

You can specify which ports are allowed for each domain:

  • domain.com - allows ports 80 and 443 (default)
  • domain.com:443 - allows only port 443
  • domain.com:22:80:443 - allows ports 22, 80, and 443

Examples:

# Default ports (80, 443)
ALLOWED_DOMAINS=github.com,api.github.com

# HTTPS only for github.com
ALLOWED_DOMAINS=github.com:443,api.github.com

# Multiple ports including SSH
ALLOWED_DOMAINS=github.com:22:443,api.github.com

Network rules

The filter allows:

  • All loopback traffic
  • Established connections
  • Local network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • DNS queries to configured DNS servers
  • TCP connections to resolved IPs of allowed domains on specified ports

All other outbound traffic is dropped.

Testing

Enable self-test on startup to verify the configuration:

docker run --cap-add NET_ADMIN \
  -e ALLOWED_DOMAINS="github.com" \
  -e RUN_SELFTEST=true \
  monadicalsas/network-filter

Or run the self-test manually:

docker exec <container-id> /network-filter.sh selftest

Example: Testing with ping

Test that allowed domains work while others are blocked:

# Start the network filter container
docker run -d --name net-filter --cap-add NET_ADMIN -e ALLOWED_DOMAINS="github.com" monadicalsas/network-filter

# This will work - github.com is in the allowed list
docker run --rm --network "container:net-filter" alpine ping -c 3 github.com

# This will fail - google.com is not in the allowed list
docker run --rm --network "container:net-filter" alpine ping -c 3 google.com

Limitations

  • Only supports IPv4 addresses
  • Requires periodic refresh to handle DNS changes
  • All containers sharing the network namespace share the same restrictions

Q&A

Why is NET_ADMIN capability required?

The NET_ADMIN capability is required to configure iptables rules within the container. This capability only affects the container's network namespace and does not grant any privileges to modify the host's network configuration. The container's iptables rules are isolated and cannot impact the host system's networking.

Reference in New Issue View Git Blame Copy Permalink
Description
network-filter
Readme MIT 93 KiB
Languages
Shell 97.4%
Dockerfile 2.6%