I’ve successfully block docker ingress network by reject all incoming packet to DOCKER-INGRESS using iptables -I DOCKER-INGRESS -i eth0 ! -s 127.0.0.1 -j REJECT (replace eth0 with your interface)

--iptables=false has no effect when net.ipv4.conf.all.forwarding=1

Docker has provided document here : https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communicating-to-the-outside-world

PS. Don’t forget to save your iptables settings.

Pretty surprising how few people are using iptables with docker… Just realized ufw is not working to deny what I set it up to deny 0_0

I’ve started using the iptables rules described here:

And when I “ufw default deny” and then run nmap domain.com externally - I can see lots of ports are still “open.” So how does the docker community recommend this to be done?