Question 213040 in Docker Question posted in
The official documentation can be found here.

How do you close Docker containers to the outside world?

I want to close my containers running in Docker to the outside world. Brute-force attacks are constantly coming to my mysql port. I don’t know how to prevent it. I add rules in ip tables, rules don’t work. I don’t know what am I doing wrong.

Commands I tried.

iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP
iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
iptables -I DOCKER-USER -i ext_if ! -s 172.18.0.2 -j DROP

I didn’t get a concrete answer from any of them.

Tags:

2

Answers


  1. 0

    Here are a few ways to close Docker containers to the outside world:

    1. Do Not Expose Ports: By default, when you run a container, its network ports are not exposed to the host system or the external network. This means that other systems won’t be able to access services running inside the container unless you specifically map the container ports to the host ports using the -p option with docker run command. To ensure the container is not exposed to the outside world, simply avoid using the -p option when starting the container.

      Example:

      docker run -d my_image_name

    2. Use a Private Network: Docker allows you to create custom bridge networks to which containers can be attached. By using a custom bridge network, you can isolate containers from the default bridge network (which allows communication between containers by default). Containers connected to a custom bridge network won’t be directly accessible from the outside world.

      Example:

      # Create a custom bridge network
docker network create my_network

# Run a container and attach it to the custom bridge network
docker run -d --network my_network my_image_name

    3. Firewall Rules: You can use firewall rules to control inbound and outbound network traffic on your host system. By configuring your firewall to block incoming connections to specific ports used by Docker containers, you can effectively close access to those containers from the outside world.

    4. Docker Compose: If you use Docker Compose to manage your containers, you can specify the expose directive in the Compose file to indicate that the container should be accessible from other containers on the same network, but not from the external network.

      Example docker-compose.yml snippet:

      version: '3'
services:
  my_service:
    image: my_image_name
    expose:
      - "8080"

    Remember that securing your containers is essential, especially when running them in production environments. Always follow security best practices and keep your software and Docker images up to date with the latest security patches. Additionally, consider using tools like Docker Secrets for sensitive data and restricting access to containers as needed. Hope that helps.

    Login or Signup to reply.
  2. 0

    Typically, the best option is to not publish the port. You can access container-to-container by creating your own network and accessing the container using the container name and the port the application is listening on. With compose, this is built-in with a network alias (DNS name) for each service name. E.g. with this compose file

    services:
  app:
    image: app:latest
  db:
    image: somedb:latest

    From app you can connect to db on whichever port the DB listens on, no need to publish the port, or even expose it (exposing ports is typically done as documentation).

    An alternative to publishing the port on all interfaces is to only publish on the loopback interface, allowing access from the local machine, but not from any external hosts:

    services:
  db:
    image: somedb:latest
    ports:
      - "127.0.0.1:1234:5678" # publish localhost 1234, forwarding to container port 5678

    If you need to publish the port, then the iptables rules should use conntrack if you want to limit the rule to a specific host port. The interface may also need adjusting because I believe the rule is processed after the packet has been mangled for the container network:

    iptables -I DOCKER-USER -s 10.0.0.0/24 -p tcp 
  -m conntrack --ctorigdstport 8080 -j ACCEPT
iptables -I DOCKER-USER -s 192.168.0.0/16 -p tcp 
  -m conntrack --ctorigdstport 3000 -j ACCEPT
iptables -I DOCKER-USER ! -s 10.0.0.0/24 -p tcp 
  -m conntrack --ctorigdstport 8080 -j DROP

    It’s also important that these rules are added with an insert (-I) since there is a default accept all rule in DOCKER-USER that overrides all rules added after it.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search