If you are running docker on an Internet server, you would have noticed that it opens all container mapped ports in the host’s internet/external IP interface. This is a huge security nightmare with ports getting opened without any warning. Getting around this problem is another nightmare. Even if you modify UFW rules, it does not work as docker manipulates ip-tables directly. Even if you run a reverse proxy and configure it to access the container, the exposed ports still remain open.
I tried various methods that are available all over the internet such as configuring docker to not tamper the IP-tables, adding special rules to ufw configuration etc to circumvent the problem but nothing worked. But after lot of trial and error, I solved the problem. To ensure the ports are and not accessible from the internet and to block them, there are 2 simple fixes.
- If you are running your server/VPS on services like AWS, DigitalOcean etc, they offer their own firewall in the control panel, and you can easily block off access to these exposed ports by configuring the firewall.
- If you are running your server on providers who do not provide this facility say ex. linode, you just must use IP-Table filters as mentioned in the docker documentation. It’s quite simple actually. Add a rule on top of the DOCKER-USER chain to close ports or open them only to specific IP ranges or close them specific IPs. Whichever way you want. Example:
iptables -I DOCKER-USER -i enp3 ! -s 220.127.116.11 -p tcp --dport 9000 -j DROP
The above rule opens port 9000 only to IP 18.104.22.168 and blocks everybody else.
Here enp3 is my host’s external interface name. Change it to correspond with your host’s actual external interface.
Using the above rule as a base, you can build rules to suit your requirements. Hope you found this helpful.