To prevent an Apptainer (formerly Singularity) container from accessing host ports, you need to restrict its network access. By default, Apptainer containers inherit the host's network namespace, which allows them to access host ports.

Solutions to Deny Host Port Access

1. Use --network none

This completely disables network access for the container, including host ports:

bash
Copy
apptainer run --writable-tmpfs --fakeroot --network none docker://debian

• Effect: The container will have no network connectivity at all.

2. Use a Private Network Namespace

If you still need some network access (e.g., for internal communication), you can create a private network namespace:

bash
Copy
apptainer run --writable-tmpfs --fakeroot --network=private docker://debian

• Effect: The container will have its own isolated network stack, but no direct access to the host's network.

3. Use --no-ipv4 or --no-ipv6 (Partial Restriction)

If you only want to block IPv4 or IPv6:

bash
Copy
apptainer run --writable-tmpfs --fakeroot --no-ipv4 docker://debian

• Effect: The container will not have IPv4 (or IPv6) connectivity.

4. Use a Firewall Rule (Host-Level)

If you need fine-grained control, you can use iptables or nftables on the host to block the container's access to specific ports:

bash
Copy
sudo iptables -A OUTPUT -p tcp --dport <PORT> -j DROP

• Effect: Blocks outbound connections to <PORT> for all processes, including the container.

---

Best Approach

• If the container should not have any network access, use --network none.
• If it needs limited network access, use --network=private and configure internal networking.
• If you need host-level restrictions, use a firewall.

Would you like help setting up a specific firewall rule or testing these options?