When setting up an SFTP-only Docker container for multiple users, network isolation becomes a critical security consideration. While we typically focus on restricting inbound access, limiting outbound connections from containers is equally important for preventing potential misuse if the container gets compromised.
There are several effective methods to control a container's network access:
# Method 1: Using --network=none
docker run --network=none -d my-sftp-image
# Method 2: Creating a custom bridge with restricted access
docker network create --internal restricted-net
docker run --network=restricted-net -d -p 2222:22 my-sftp-image
For more granular control, you can implement iptables rules directly on the host:
# Allow only SSH/SFTP traffic (port 22)
iptables -A DOCKER-USER -p tcp --dport 22 -j ACCEPT
iptables -A DOCKER-USER -j DROP
# Alternatively, to allow DNS but block other outbound traffic
iptables -A DOCKER-USER -p udp --dport 53 -j ACCEPT
iptables -A DOCKER-USER -p tcp --dport 53 -j ACCEPT
iptables -A DOCKER-USER -j REJECT
Here's a complete docker-compose.yml example implementing network restrictions:
version: '3.8'
services:
sftp:
image: atmoz/sftp
networks:
restricted:
ipv4_address: 172.20.0.2
ports:
- "2222:22"
volumes:
- ./users.conf:/etc/sftp/users.conf:ro
networks:
restricted:
driver: bridge
enable_ipv6: false
ipam:
config:
- subnet: 172.20.0.0/24
After implementing these measures, test your container's network access:
# This should fail inside the container
docker exec -it sftp-container curl google.com
# This should work (SFTP connection)
sftp -P 2222 user@localhost
Combine network restrictions with other security measures:
- Use read-only filesystems where possible
- Implement resource limits
- Regularly update your Docker images
- Monitor container activity
When building an SFTP-only Docker container for secure file transfers, we face an interesting security paradox: while we typically focus on restricting inbound access (only exposing port 22), we often neglect the equally important outbound restrictions. A compromised container with internet access can become a launchpad for attacks, spam, or data exfiltration.
Docker provides several network drivers that can help achieve our goal:
--network none: Complete network isolation (too restrictive for SFTP)--network host: Shares host's network stack (insecure)--network bridge: Default bridge network (needs customization)
The most effective approach combines Docker's native capabilities with iptables rules:
# Create a custom bridge network with restricted outbound access
docker network create --driver bridge \
--opt com.docker.network.bridge.name=sftp_net \
sftp-network
# Run container with custom network
docker run -d --name sftp_server \
--network sftp-network \
-p 2222:22 \
-v /host/sftp:/home \
atmoz/sftp
# Add iptables rules to block outbound traffic (except SSH/SFTP)
sudo iptables -I DOCKER-USER -i sftp_net ! -o sftp_net -p tcp --dport 22 -j ACCEPT
sudo iptables -I DOCKER-USER -i sftp_net ! -o sftp_net -j DROPAfter implementation, test from inside the container:
docker exec -it sftp_server sh
# This should fail:
curl google.com
# This should work (if targeting another container in same network):
curl sftp-neighbor-containerFor newer Docker versions (20.04+), you can use the embedded firewall rules:
# Create a network with default-deny egress policy
docker network create --driver bridge \
--opt com.docker.network.bridge.enable_icc=false \
--opt com.docker.network.bridge.enable_ip_masquerade=false \
restricted-sftp-net
# Explicitly allow only port 22 traffic
docker network connect \
--alias sftp-gateway \
--ip 172.28.0.2 \
restricted-sftp-net sftp_server- Regularly audit iptables rules with
iptables -L DOCKER-USER -v -n - Combine with read-only filesystems (
--read-only) for enhanced security - Consider using
--cap-drop ALLand only adding necessary capabilities