Docker Community Forums

Share and learn in the Docker community.

Docker iptables exposing the ports even though blocked in iptables


(Dv123) #1

Hi I am trying to block port 9200 and 9300 ports on my system for outbound communication
chain DOCKER is adding these rules
Chain DOCKER (3 references)
pkts bytes target prot opt in out source destination
17 820 ACCEPT tcp – !br-7c2c45a95ea8 br-7c2c45a95ea8 anywhere 192.168.224.2 tcp dpt:9000
10 472 ACCEPT tcp – !br-97c2e2b6a3c8 br-97c2e2b6a3c8 anywhere 192.168.208.11 tcp dpt:9300
16 776 ACCEPT tcp – !br-97c2e2b6a3c8 br-97c2e2b6a3c8 anywhere 192.168.208.11 tcp dpt:9200
12 560 ACCEPT tcp – !br-97c2e2b6a3c8 br-97c2e2b6a3c8 anywhere 192.168.208.14 tcp dpt:27017
616 31904 ACCEPT tcp – !br-97c2e2b6a3c8 br-97c2e2b6a3c8 anywhere 192.168.208.17 tcp dpt:https
115 5892 ACCEPT tcp – !br-97c2e2b6a3c8 br-97c2e2b6a3c8 anywhere 192.168.208.17 tcp dpt:http
616 31984 ACCEPT tcp – !br-97c2e2b6a3c8 br-97c2e2b6a3c8 anywhere 192.168.208.19 tcp dpt:https
I am adding INPUT chain rules to drop outside packets
Allow localhost to access port 9200,9300(any specific ip also can be mentioned instead of localhost)
sudo iptables -A INPUT -p tcp --dport 9200 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9300 -s 127.0.0.1 -j ACCEPT

Block all others to access this port
sudo iptables -A INPUT -p tcp --dport 9200 -j DROP
sudo iptables -A INPUT -p tcp --dport 9300 -j DROP
but looks like my iptable rules are not working
nmap is 9200 and 9300 as open ports

if I expose the ports only to localhost using 127.0.0.1:9200:9200 then ithe port is showing as filtered
but I want to enable/disable the port according to the need
but making it 127.0.0.1 will hard code it when the containers are running in run time