Docker Community Forums

Share and learn in the Docker community.

Preventing the outside world from seeing open container ports


(Lyonfnal) #1

Hi, When I do “docker run -p NNNN:MMMM …”, by default port NNNN on my Mac is accessible to the outside world (e.g. if the docker container is running some web server, it is accessible to a different machine on my network and potentially any machine on the internet).

I work in an environment where a security port scanner is constantly scanning machines on our corporate network looking for open http server ports. It makes nasty threats to my well being when it finds one on my machine. I’d like open docker container ports to be only accessible to the host (my mac laptop) and not accessible to the outside world.

I can prevent outside connections by going to my Mac’s System Preferences/Security/Firewall and set “com.docker.slirp” to “Block incoming connections”.

Is that the preferred way to accomplish blocking outside connections, or is there a better way? e.g. can I set a flag in the container itself to only allow connections from the host?

I’m using docker mac beta Version 1.11.1-beta14 (build: 8670)

Thanks! – Adam


(Tapajos) #2

I believe that what you are looking for is binding only your local ip. Did you take a look on https://docs.docker.com/engine/userguide/networking/default_network/binding/ ?


(Lyonfnal) #3

Yes - apparently one can do…

docker run -p 127.0.0.1:8888:80 and that will restrict access. That page kind of says that, but without the example it wasn’t immediately obvious to me. Thanks for the hint. – Adam


(Ryankenney) #4

So, is there an equivalent in docker-compose? It does not appear that the “expose” supports the IP feature.