I have a docker container running on a host with some port mapped to a port on the host.
docker run -d -p 9009:9009 someserver
I want this machine firewalled off from the internet except for 80, 443 and 22.
But I still want processes inside the host to be able to connect to 9009.
I was a little shocked to find out docker seems to completely circumvent any firewall rules for dropping packets.
I tried on centos 7 with both firewalld and iptables to block everything except 80, 443, and 22. Somehow I was still able to get at the docker port-mapped container (port 9009) from outside the host! Some solutions I found seem to mess up routing entirely for docker – either make docker containers not be able to get to the internet or whatever.
Is my scenario possible?
This seems to be asking the same question:
https://security.stackexchange.com/questions/66136/docker-port-forwarding-exposure
Best Answer
It looks like I can bind my exposed container ports to localhost only.
docker run -d -p 127.0.0.1:9009:9009 someserver