[UNSOLVABLE YET] Block exposed port on selected interface

Hello,

I have a container with an exposed port (let’s say 5000) but I want this port to be available only on the host and not outside the host.

Any idea?

Thanks.

That’s what the optional IP address part of the docker run -p option is for. If you run the container with

docker run -p127.0.0.1:5000:5000 ...

then it won’t be accessible from off the host.

(P.S.: If you depend on other containers being able to reach this service via the host IP address, this breaks that)

(P.P.S.: “Expose”, as in the Dockerfile directive or the docker run --expose option, doesn’t actually mean much; “publish”, as in docker run -p, controls what can be connected to externally)

I tried it and it doesn’t work on windows :frowning:

docker run -p 127.0.0.1:5000:5000 -i -t --name rest rest:latest

C:\Program Files\Docker\Docker\Resources\bin\docker.exe: Error response from daemon: failed to create endpoint rest on network nat: Windows does not support host IP addresses in NAT settings.

By the way I use a NAT network as the container needs to download software, but I can remove that if another docker network configuration can be used for my purpose.

If you are using NAT in you host vm, then as long as you didn’t forward that port number 5000, outside will not be able to access your container, so you are safe.

Thanks but the host is not a VM

Then isn’t it simply just a firewall setting to block the port number?

Ok, solution found : use Linux instead of Windows :slight_smile:

Thanks.