IP Routing in Turbo Containers

This is the first installment in a series of blog posts. The other parts are:

The latest update to Turbo introduces new IP address restriction capabilities and routing syntax.

IMPORTANT: Scripts using the previous routing commands must be updated to use the new syntax.

Previously it was only possible to control inbound traffic with flags --route-add, --route-block, and --network. With the latest update, you can now specify whitelists and blacklists on outbound container network traffic as well. To make this possible, the previous syntax of the --route-add flag was updated to follow a more generic scheme:

The new syntax for port direction follows the form <protocol>://<containerPort>:<hostPort>.

For example, to map container TCP port 8080 to host port 80, you would use the command --route-add=tcp://8080:80.

(Previously the syntax followed the form <hostPort>:<containerPort>/<protocol> and the equivalent command would have been --route-add=80:8080/tcp.)

In addition, a new protocol ip is supported, which applies routing to all IP-based communication. For example, the command --route-block=ip blocks all IP traffic. Subsequent --route-add commands can be appended to whitelist specific IP addresses.

Finally, it is now possible to map a container port to a random high host port, which can subsequently be queried with the turbo netstat command. To map container TCP port 4321 to a high random host port, use the command --route-add=tcp://4321:0. The 0 here represents a randomly assigned high port.

Sample: PuTTY Whitelisting

PuTTY is a popular free Telnet client for Windows. To create a PuTTY container with all outbound access blocked except to IP address

turbo new putty --route-block=ip --route-add=ip://

Now let’s reroute all traffic from to, making it possible to connect to host at typing address in PuTTY:

turbo new putty --route-block=ip --route-add=ip:// --route-add=ip://

It is also possible to block or map IP ranges using the CIDR notation. For example, the following command allows PuTTY in the container to connect only to hosts in the network:

turbo new putty --route-block=ip --route-add=ip://

To disallow connection to a set of specific set of IP addresses or ranges (“blacklisting”), simply specify them in the --route-block parameter:

turbo new putty --route-block=ip://

The --route-add and --route-block commands are also supported within the commit verb, so it is easy to save custom network stacks into deployable images.