Prevent exposing ports

abdelazizsharaf · January 26, 2023, 8:36pm

Any example explaining ? That would be so helpful

Is this what you mean ?

meyay · January 26, 2023, 8:47pm

Sure, here we go.

Create the main container and check hostname and ip:

me@host:~$ docker run --name main --tty --detach --hostname main alpine
e892748a15f2499e047acb75c526dfe6ebfe5754db5a689f6415f31b03fca8b0
me@host:~$ docker exec main ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
729957: eth0@if729958: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
me@host:~$ docker exec main hostname
main

Start a second container and use the network namespace of the main container, then check hostname and ip.

me@host:~$ docker run --name guest --tty --interactive --network container:main alpine
/ # hostname
main
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
729957: eth0@if729958: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ #

Exit the 2nd container and cleanup with docker rm -f guest main

abdelazizsharaf · January 28, 2023, 12:21am

Now I was able to build a firewall container, attach it to macvlan network attaching any container to it’s network directly as a hook

To add something for other topic viewers

when using docker compose you could use either service name or container name

two things to consider

when the container stop the network deattach forever,
one need to set dependancies in compose file

docker network connect container:awall tester;
# Error response from daemon: container sharing network namespace with another container or host cannot be connected to any other network

would fail if firewall activated in build process as a lack of --cap-add,
one need to add the activation command to either CMD or ENTRYPOINT not RUN
You will need some capabilities, which is explained here :

That’s very satisfying for me,
Thanks, both of you

Topic		Replies	Views
Expose containers through Docker-proxy from a different vlan than the Docker host General	10	5050	July 19, 2023
Docker exposed ports are not accessible from all remote networks Compose docker , docker-compose	15	362	June 3, 2025
Running multiple docker containers with UFW and "--iptables=false" General docker	21	48565	October 16, 2019
Port Mapping with custom Host IP on Linux Docker Desktop docker-compose , ubuntu , linux	20	275	April 30, 2025
Confused about networking defaults, how to get VM IP with native port forwarding off? Docker Desktop	15	6276	September 28, 2016

Prevent exposing ports

Related topics