Restricting Docker container networking to Tor only

Image the following use case, you have an application running which you strictly want to force its traffic to go through the TOR network. In normal case scenarios, you can implement at your network firewall level a restriction to such traffic, a more simplistic approach would be locally to add an iptables rule, but in the container world everything is different.

Here will be explored an use case of an isolated container that can only communicate with a proxy container that has access to the Tor network. Suppose that you don’t trust that you application will keep the proxy configurations or properly use it and you want to be sure that nothing wrong happen to your privacy.

Create the networks

The very first step is to create the networks used for this example. Let’s give them some self-explanatory names.

docker network create internet
docker network create --internal restricted

As you can see, the restricted network is created with the --internal flag, which means that it doesn’t have any external access.

Create the proxy container

Two containers will be created for this test, the first one is the proxy server that will run Tor as a proxy.

docker run --rm -it --name proxy --network internet -e PROXY_PORT=9050 strm/tor

In another terminal run

docker run --rm -it --name client --network restricted strm/task-base

And finally attach the proxy container to the restricted network.

docker network connect restricted proxy


To be sure that the setup is properly working, the image used as the client image already has curl installed, so is possible to run the following command.

root@a7534de5d6be:/data# curl -x socks5h://proxy:9050
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<H1>301 Moved</H1>
The document has moved
<A HREF="">here</A>.

The next step is to be sure that the opposite also happens, that the client container can’t access the internet without the proxy. So you can use ping, curl and other tools to test it.


## STRM ##

A pro-freedom hacktivist thinktank.