Restricting exposed Docker ports with iptables

radokristof · April 27, 2021, 12:28pm

I have also found Steps for limiting outside connections to docker container with iptables? - Server Fault

For example:

iptables -A DOCKER-USER -i eth0 -s 8.8.8.8 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j ACCEPT
iptables -A DOCKER-USER -i eth0 -s 4.4.4.4 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j DROP

I’m using the DOCKER-USER chain only for Docker related iptables rules.
The rules seems really great, but I don’t know how I can apply this generally for all ports.
So I don’t want to create a new rule for every newly opened port like this one:

iptables -A DOCKER-USER -i eth0 -p tcp -m conntrack --ctorigdstport 3306 --ctdir ORIGINAL -j DROP

and then define specific rules for each port. I want something general which defaults to drop for all ports.

That would be really great, because multiple users are creating Docker containers on this server and I don’t want new ports to get exposed automatically, just by adding a manual ACCEPT rule for each port.

Topic		Replies	Views
Docker iptables exposing the ports even though blocked in iptables General	0	1479	September 1, 2018
Restricting External Container Access with Iptables General	5	48351	November 14, 2018
Restrict all ports, except 443 and 80 (allow all from my ip) General	1	3434	September 13, 2019
Not able to access port exposed from docker container General docker	0	2881	October 24, 2016
Prevent existing iptables rules from opening ports to docker containers General docker	5	2023	July 4, 2021

Restricting exposed Docker ports with iptables

Related topics