Use the Docker network hardening guide to control network access.
Docker creates its own networking stack that enables containers to communicate with other networking endpoints. By default, Docker uses a networking configuration that allows unrestricted communication for containers so containers can communicate with all IP addresses. You can restrict the networking sources the containers communicate with. The following describes using Ubuntu with iptables commands to restrict IP access.
Block Network Access to the Host Machine
Integrations and scripts running within containers do not usually require access to the host network. For added security, you can block network access from containers to services running on the engine machine.
Add the following iptables rule for each private IP on the tenant machine:
sudo iptables -I INPUT -s <
IP address range
> -d <host private ip address
> -j DROPFor example, to limit all source IPs from containers that use the IP ranges 172.16.0.0/12, run
sudo iptables -I INPUT -s 172.16.0.0/12 -d 10.18.18.246 -j DROP
. This also ensures that new Docker networks which use addresses in the IP address range of 172.16.0.0/12 are blocked from access to the host private IP. The default IP range used by Docker is 172.16.0.0/12. If you have configured a different range in Docker'sdaemon.json
config file, use the configured range. Alternatively, you can limit specific interfaces by using the interface name, such asdocker0
, as a source.(Optional) To view a list of all private IP addresses on the host machine, run
sudo ifconfig -a
Assign a Docker Network for a Docker Image
If your engine is installed on a cloud provider such as AWS or GCP, it is a best practice to block containers from accessing the cloud provider’s instance metadata service. The metadata service is accessed via IP address 169.254.169.254
. For more information about the metadata service and the data exposed, see the AWS and GCP documentation
There are cases where you might need to provide access to the metadata service. For example, access is required when using an AWS integration that authenticates via the available role from the instance metadata service. You can create a separate Docker network, without the blocked iptable rule, to be used by the AWS integration’s Docker container. For most AWS integrations the relevant Docker image is: demisto/boto3py3
Create a new Docker network by running the following command:
sudo docker network create -d bridge -o com.docker.network.bridge.name=docker-metadata aws-metadata
Add the following key.
"python.pass.extra.keys.demisto/boto3py3": "--network=aws-metadata"
Save the changes.
Restart the demisto service on the engine machine.
sudo systemctl start d1
(Ubuntu/DEB)
sudo service d1 restart
Verify the configuration of your new Docker network:
sudo docker network inspect aws-metadata
Block Internal Network Access
In some cases, you might need to block specific integrations from accessing internal network resources and allow the integrations to access only external IP addresses. This setting is recommended for the Rasterize integration when used to Rasterize untrusted URLs or HTML content, such as those obtained via external emails. With internal network access blocked, a rendered page in the Rasterize integration cannot perform a SSRF or DNS rebind attack to access internal network resources.
Create a new Docker network by running the following command:
sudo docker network create -d bridge -o com.docker.network.bridge.name=docker-external external
Block network access to the host machine for the new Docker network:
iptables -I INPUT -i docker-external -d <host private ip> -j DROP
Block network access to cloud provider instance metadata:
sudo iptables -I DOCKER-USER -i docker-external -d 169.254.169.254/32 -j DROP
Block internal network access:
sudo iptables -I DOCKER-USER -i docker-external -d 10.0.0.0/8 -j DROP
sudo iptables -I DOCKER-USER -i docker-external -d 172.16.0.0/12 -j DROP
sudo iptables -I DOCKER-USER -i docker-external -d 192.168.0.0/16 -j DROP
Add the following key to run integrations that use the
demisto/chromium
docker image with the Docker networkexternal
."python.pass.extra.keys.demisto/chromium": "
--network=external
"Save the changes.
Restart the demisto service on the engine machine.
sudo systemctl start d1
(Ubuntu/DEB)
sudo service d1 restart
Verify the configuration of your new Docker network:
sudo docker network inspect external
Persist Iptables Rules
By default, iptables rules are not persistent after a reboot. To ensure your changes are persistent, save the iptables rules by following the recommended configuration for your Linux operating system: