This repository contains files for building and running a Docker container to isolate other containers from the rest of your network, while optionally exposing some ports.
Imagine finding a Docker image online that seems to do exactly what you need, but you're kind of worried that it contains malicious code.
To minimize the possible damage, you might disable networking for this container completely:
$ docker run --net none potentially_malicious_image
While this does work, it also breaks containers that listen for connections. So what if the image you're after is a server that listens for connections?
This is exactly what net-sandbox
tries to solve. Simply run the sandbox container first:
$ docker run --cap-add NET_ADMIN --name sandbox xjonathanlei/net-sandbox
Then run the suspicious container inside the sandboxed network:
$ docker run --net container:sandbox potentially_malicious_image
It's just a few simple iptables rules.
TODO: add link to Docker Hub
Just build the image yourself then.
MIT