Docker container accessible only via Cloudflare CDN (selected ip ranges)

Question

I have webserver in docker container, but I cannot configure iptables on my host (Debian). I want allow only specified ip addressess to connect on ports 80 and 443 to my machine (host). Port 22 should be accesible from any ip. In my case, allowed should be Cloudflare ip addresses. Cloudflare ips are available at https://www.cloudflare.com/ips-v4.

How I should correctly block non Cloudflare ips connections on ports 80 and 443?

Answer 1

SOLUTION:

iptables -F DOCKER-USER
iptables -I DOCKER-USER -j RETURN
iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -j DROP
for i in `curl -s https://www.cloudflare.com/ips-v4`;\
        do iptables -I DOCKER-USER -p tcp -i eth0 -m multiport --dports http,https -s $i -j RETURN;\
done
iptables -I DOCKER-USER -o eth0 -d 0.0.0.0/0 -j ACCEPT

Result of iptables -L for DOCKER-USER :

ACCEPT     all  --  anywhere             anywhere
RETURN     tcp  --  <ACCEPTED IPs>       anywhere             multiport dports http,https
DROP       tcp  --  anywhere             anywhere             multiport dports http,https
RETURN     all  --  anywhere             anywhere

Explanation:
First part (ACCEPT) ACCEPTs outgoing traffic from web server (docker container).
Second part (RETURN) describes allowed ip adrresses to connect on port 80 or 443.
Third part (DROP) drop packets of connections on port 80/443, which are NOT listed in RETURN part.
Fourth part (RETURN) is default rule in DOCKER-USER chain. It makes possible to handle connections on other ports by the next rules instead of dropping all connections on non 80/443 port (e.g. port 22 - ssh).

This will also drop any packet of docker container running on port 80/tcp but the port of container is not mapped to host. Creating issue similar to docker, iptables and cloudflare