A docker-container with ipset and iptables from kubernetes, inherited by
using debian-iptables
as a parent image.
This container can be used to implement ip based whitelisting of the SSH daemon.
By using the country-whitelist published by IPdeny, you agree to their Terms of Service (TOS) and are familiar with their Copyright notice and Privacy Policy.
- Make sure to run this as a privileged container with host networking.
- Make sure that you are loading IPv6 related kernel-modules before starting this conatiner, see moby#33605
The container can be configured with environment variables:
WHITELISTED_IPV4_IPS: list of IPv4 addresses separated by space that should be whitelistedWHITELISTED_IPV4_NETS: list of IPv4 networks separated by space that should be whitelistedWHITELISTED_IPV6_IPS: list of IPv6 addresses separated by space that should be whitelistedWHITELISTED_IPV6_NETS: list of IPv6 networks separated by space that should be whitelistedWHITELISTED_COUNTRIES: list of lowercase ISO 3166-1 alpha-2 country-codes to whitelist; source for the whitelist are hte country IP blocks published by IPdeny
Allow connections from Switzerland, IPv4 private IP addresses and the IPv4 address 8.8.8.8:
docker run \
--rm \
--privileged \
--net=host \
-e WHITELISTED_COUNTRIES="ch" \
-e WHITELISTED_IPV4_NETS="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" \
-e WHITELISTED_IPV4_IPS="8.8.8.8" \
linkyard/sshd-ipset-whitelist