CentOS Question posted in
The official documentation can be found here.

how to block external access to docker container linux centos 7

I have a mongodb docker container I only want to have access to it from inside of my server, not out side. even I blocked the port 27017/tcp with firewall-cmd but it seems that docker is still available to public.
I am using linux centos 7
and docker-compose for setting up docker

Tags:

3

Answers


  1. 0

    If you have your application in one container and MongoDb in other container what you need to do is to connect them together by using a network that is set to be internal.

    See Documentation:

    Internal
    By default, Docker also connects a bridge network to it to provide
    external connectivity. If you want to create an externally isolated
    overlay network, you can set this option to true.

    See also this question

    Here’s the tutorial on networking (not including internal but good for understanding)

    You may also limit traffic on MongoDb by Configuring Linux iptables Firewall for MongoDB

    for creating private networks use some IPs from these ranges:
    10.0.0.0 – 10.255.255.255
    172.16.0.0 – 172.31.255.255
    192.168.0.0 – 192.168.255.255

    more read on Wikipedia

    You may connect a container to more than one network so typically an application container is connected to the outside world network (external) and internal network. The application communicates with database on internal network and returns some data to the client via external network. Database is connected only to the internal network so it is not seen from the outside (internet)

    Login or Signup to reply.
  2. 0

    I resolved the same problem adding an iptables rule that blocks 27017 port on public interface (eth0) at the top of chain DOCKER:

    iptables -I DOCKER 1 -i eth0 -p tcp --dport 27017 -j DROP

    Set the rule after docker startup

    Another thing to do is to use non-default port for mongod, modify docker-compose.yml (remember to add –port=XXX in command directive)

    For better security I suggest to put your server behind an external firewall

    Login or Signup to reply.
  3. 0

    I found a post here may help enter link description here. Just post it here for people who needed it in future.

    For security concern we need both hardware firewall and OS firewall enabled and configured properly. I found that firewall protection is ineffective for ports opened in docker container listened on 0.0.0.0 though firewalld service was enabled at that time.

    My situation is :

    • A server with Centos 7.9 and Docker version 20.10.17 installed
    • A docker container was running with port 3000 opened on 0.0.0.0
    • The firewalld service had started with the command systemctl start firewalld
    • Only ports 22 should be allow access outside the server as the firewall configured.

    It was expected that no one others could access port 3000 on that server, but the testing result was opposite. Port 3000 on that server was accessed successfully from any other servers. Thanks to the blog post, I have had my server under firewall protected.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search