I want to restrict general Docker exposed ports access.
Most of my exposed ports are using reverse-proxy so it will be enough if these exposed ports will be only accessible through localhost.
I know that I could do
127.0.0.1:8080:80 port mapping in Docker, but it will be better for me if simply doing a
-p 8080:80 would only allow access from localhost.
Right now for testing, I have a port mapped like this in a
ports: - 222:22
I have added a rule like this to the
DOCKER-USER chain, but I can still access this
222 port from outside:
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 222 -j DROP -A DOCKER-USER -j RETURN
Why this rule is not working?
Also there are a few ports which should be accessible from our VPN network.
So I would think that a DROP policy on the DOCKER-USER chain would be great for me and then I would allow these specific ports.
Can someone help me debug this and get it working?