Hi, I have a docker compose setup with a manually created network called “frontend” which consists of a bunch of apps and the reverse proxy, ports 443 and 80 are port forwarded from the router to the TrueNAS box via hairpin NAT rules.
Here is an issue - all those internet facing services can access all of the devices on my local network, which is a security concern.
I wanted to restrict that, which I figured I could do with some iptables rules:
iptables -I FORWARD 1 -s 172.18.0.0/24 -d 192.168.1.1 -j ACCEPT
iptables -I FORWARD 2 -s 172.18.0.0/24 -d 192.168.0.0/16 -j DROP
which do work when applied manually, I can no longer ping devices on my local net from withing the containers on the “frontend” docker network, but still able to reach the internet.
However, when I added them as a POSTINIT command to make the rules persistent, I’ve noticed that by the time docker starts up, they get superseded by a bunch of other rules and move down relative to the ones docker (Truenas?) adds, and stop working.
What are my options in this situation? Is it possible at all to reliably restrict local net access from those containers?