IP-based access restriction

[efrecon]

As the ports key of the YAML description file conveniently describe more or less all the ports that get opened on the virtual machine (or are necessary to open), this list could easily be enhanced to carry basic port-based security protection. As all machine provisioners support iptables, the ports specified could be used to switch off access on all ports except the ones from the list. Of course, this would take care of service ports such as the one used for ssh access, or the docker and swarm ports. The list could even be enhanced with a list of hostnames, which would be resolved to the list of IP addresses accepted to connect to the machine from the outside. This host list would, in most cases, contain references to name of machines in the YAML description.

Implementing such a feature would provide a basic degree of security that is mostly beneficial when using external providers (Azure, etc.). Access to created machines would be controlled almost by default.

Does anyone have experience with overlying this kind of security measures on top of the iptables rules that are created and maintained by docker itself?