The basic idea is to allow packets belonging to established connections and those creating new inbound SSH connections and drop everything else.
The iptables rules to implement this depend on which container network interface (venet or veth) you're using. venet distinguishes containers by IP address whereas veth distinguishes by interface.
For venet:
Code:
# <ip> is container IP address
# Allow packets for established connections in both directions
-A INPUT -d <ip> -p TCP -m state --state ESTABLISHED -j ALLOW
-A INPUT -s <ip> -p TCP -m state --state ESTABLISHED -j ALLOW
# Allow new inbound SSH connections
-A INPUT -d <ip> -p TCP -m tcp -m state --dport 22 --state NEW -j ALLOW
# Drop all other packets in both directions
-A INPUT -d <ip> -j DROP
-A INPUT -s <ip> -j DROP
For veth:
Code:
# <in> is Internet interface
# <cn> is container interface
# Allow packets for established connections in both directions
-A INPUT -i <in> -o <cn> -p TCP -m state --state ESTABLISHED -j ALLOW
-A INPUT -i <cn> -o <in> -p TCP -m state --state ESTABLISHED -j ALLOW
# Allow new inbound SSH connections
-A INPUT -i <in> -o <cn> -p TCP -m tcp -m state --dport 22 --state NEW -j ALLOW
# Drop all other packets in both directions
-A INPUT -i <in> -o <cn> -j DROP
-A INPUT -i <cn> -j DROP