8

if you run something (e.g. nginx) in a Docker container and publish one of the exposed ports to the outside world (like docker run -p 80:80 nginx) then Docker will

  • expose the port to the public
  • set up iptables so that if something connects to the container through the Docker network bridge (NAT) then nginx will still know the proper source IP
  • ! open the firewall to that port completely

I don't want to allow anyone to connect to the published port, but Docker messes that up. So I relaunched the Docker daemon with --iptables=false that allows me to manage the firewall myself. However, nginx now only sees the bridge (172.18.0.1) as the source address.

How can I keep control over the firewall and still forward the source IP address to the container?

Mate Varga
  • 3,144
  • 2
  • 14
  • 17
  • Are you using the latest docker version? Or can you provide it here? – Maniankara Feb 23 '16 at 12:39
  • Yep, I'm using 1.10.1. – Mate Varga Feb 23 '16 at 12:56
  • I tested this in ubuntu and seems to work as docker port forwarding was taken out of iptables way back (afaik), its handled by docker-proxy process. I am able to access the nginx even after I have stopped the iptables. Are you trying to execute this in MAC or OS please – Maniankara Feb 23 '16 at 13:05
  • The option `--publish` can be set using the IP of the container. Thus, if you use the option `--publish=127.1.1.1:80:80`, then nginx will bind to your localhost on the port 80, hence "not available to anyone to connect to the published port". -- note that I do not get the part of publishing a port if you do not want anyone to connect to. What do you mean be "anyone"? Other people than the ones having access to the localhost? – Auzias Feb 23 '16 at 14:07
  • @Auzias: a set of hosts would need access to the container, so I need to publish the port on 0.0.0.0 (or on the public IP). The host is on the public internet, and I only want a set of IP addresses that are able to connect. – Mate Varga Feb 23 '16 at 19:40
  • Then you need to play a bit with `iptables` to whitelist this set of IP addresses. – Auzias Feb 24 '16 at 07:36

0 Answers0