Docker: Restricting inbound and outbound traffic using iptables

We have lot of applications that run on Linux server using Docker. As an example, let us say my application runs on **ServerA** as a container (Docker). CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES df68695a00f1 app/myapp:latest "/run.sh" 2 weeks ago Up 2 days 0.0.0.0:50423->3000/tcp reallymyapp The app is listening on the port 50423 on the host (mapped to port 3000 on the container). The DNS (endpoint) that is used to access the app is pointing to the HAProxy host (say **ServerB**), that routes the traffic to **ServerA:50423**. Everything works well so far. The security team in our org raised a concern that all external source IPs are potentially allowed to connect to such Docker hosts (like **ServerA**) and they want us to restrict traffic to allow only a specific IP (**ServerB** which is a load balancer) to access the containers and vice versa (**ServerA** to **ServerB**). We would then allow connectivity from our users' machines to **ServerB**/load balancer only. Now, I followed Docker documentation and tried to insert the following rule using iptables to DOCKER-USER chain: iptables -I DOCKER-USER -i ekf192 -s 10.1.2.10, 10.1.2.11, 10.1.2.12 -j ACCEPT iptables -I DOCKER-USER -i ekf192 -j DROP ACCEPT all -- 10.1.2.10 anywhere ACCEPT all -- 10.1.2.11 anywhere ACCEPT all -- 10.1.2.12 anywhere LOG all -- anywhere anywhere LOG level info prefix "IPTables Dropped: " DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Please note that we need both incoming and outgoing traffic from/to these hosts (10.1.2.10, 10.1.2.11, 10.1.2.12). Now, as per my (limited) knowledge on iptables, these rules should drop all incoming requests except for when it is origination from the mentioned IP addresses and vice versa i.e. allow outgoing traffic to mentioned IPs. The incoming traffic works as expected but the outgoing traffic to these HOSTS is getting dropped. I am scratching my head over this and cannot figure out what is going wrong...and not to mention that I absolutely suck at understanding how iptables rules work. Jan 12 16:24:43 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.10 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=40235 DF PROTO=TCP SPT=3000 DPT=42579 WINDOW=242 RES=0x00 ACK FIN URGP=0 Jan 12 16:24:44 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=3000 DPT=45182 WINDOW=29200 RES=0x00 ACK SYN URGP=0 Jan 12 16:24:45 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.12 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=3000 DPT=45182 WINDOW=29200 RES=0x00 ACK SYN URGP=0