docker makes port of container open to public

Question

I have on centos7 docker container with nginx.

Port 80 is available from outside despite on that this port NOT opened in firewalld. here rules for public zone:

# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno3
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

but there is a automatic rule for this port in chain DOCKER:

# iptables -L DOCKER
Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http

how to CLOSE this port from outside? I've ran the command but it not helped:

# firewall-cmd --zone=public --remove-port=80/tcp --permanent
Warning: NOT_ENABLED: 80:tcp
success

I've read docs - https://docs.docker.com/engine/userguide/networking/ but still don't get it.. Actually I need open this port 80 only for my specified network 1.2.3.4/24.

This ip `172.17.0.2` belongs to a software defined network from docker, that is not directly accessible from outside the host. Have you tried to access it from outside? — Robert, Jul 04 '17 at 22:52
how it is possible access this network (172.17.0.0/24) from outside?? I can access only external_ip_docker_host:80 and son't understand how to close this access. — Trav Erse, Jul 05 '17 at 08:31

score 2 · Answer 1 · answered May 29 '21 at 00:30

2

Maybe a bit overdue, but:

you probably are mapping with something like 3000:3000. This is very much the equivalent of 0.0.0.0:3000:3000.

What you want is to map only to your localhost. You can achieve this by listening to a specific IP address, such as 127.0.0.1 (localhost).

Change your configuration to 127.0.0.1:[host_port]:[container_port].

answered May 29 '21 at 00:30

Francisco Castel-Branco

33
5

This is not working... Any idea? – Mark Khor Sep 19 '21 at 17:27

score 1 · Answer 2 · answered Jul 05 '17 at 13:23

1

Docker sets iptables rules per default. See Docker's Understand container communication for more information. You can also disable this in the Docker daemon with --iptables=false.

Alternativly with docker-compose file version 2+ you could use the expose keyword instead of ports to open this port only within the Docker network in your docker-compose.yml file.

That said, you should probably disable iptables if you want to use firewalld.

answered Jul 05 '17 at 13:23

dpaar

11
1

I have disabled iptables as far I know: # systemctl status iptables Unit iptables.service could not be found. – Trav Erse Jul 05 '17 at 20:11
if I use option --iptables=false I get the same issue: https://stackoverflow.com/questions/40792765/docker-internet-connectivity-with-iptables-false I can't get access to Internet FROM my docker container – Trav Erse Jul 12 '17 at 15:50
If you set `--iptables=false` you would have to manually configure forwarding to and from your Docker container. – dpaar Jul 14 '17 at 08:09

docker makes port of container open to public

2 Answers2