Where does docker save the iptables-rules permanently in Ubuntu 24.04?

Hello,

how can i block port 8000 with iptables from outside for all docker-containers?
Port 8000 is used by COOLIFY!!!

Where does docker save the iptables-rules permanently in Ubuntu 24.04?

Best regards

MB

Hello and welcome,

why is it neccessary to block access from the outer world to the containers port :8000?
If you don’t want to have access to container’s port :8000 don’t publish these ports to the outside world. You can still access the containers from other containers using the container-name and port :8000 (to stay with this port in this example).
Or if you need access only from your host machine but not from the outside world you can publish the containers port to 127.0.0.1:8000 instead of publishing it to 0.0.0.0:8000 as in the following snippet from a docker-compose.yml

ports:
     - "127.0.0.1:8000:8000"

This made me curious

I wonder if there is some way to disable the loopback address (127.0.0.1) and set up a DNS which redirects 127.0.0.1 to a specific machine

If that is possible, would the container accept a request sent to it then?

Edit: Oops, not a DNS, that doesn’t do IPs, it’s a network level issue, sorry, brainfart

Everything to know about Docker and iptables is probably here

Search for DOCKER-USER

HELP:
Where does docker save the iptables-rules permanently in Ubuntu 24.04?

Port 8000:
I have installed COOLIFY and now i will close the port 8000 - but all rules doesn’t work!

Best regards
MB

HELP:
Where does docker save the iptables-rules permanently in Ubuntu 24.04?

It doesn’t. I stores container and network metadata and create the rules when you start Docker. I shared the documentation about the topic, but I rarely write iptables rules and just don’t forward ports to containers instead of trying to undo that using iptables.

1 Like

Thank you!
In which files can I find the rules that docker loads after startup?

There must be a rule for port 8000 somewhere - which COOLIFY uses - right?

Best regards

I don’t think it is a single file. As I wrote there is network metadata and individual containerIt wouldn’t help. And you should never touch those files. The network database is a binary file anyway and there are container metadata json files and lots of other files under the docker data root (/var/lib/docker). Since I had a post about the network database, I can share

but it will still not help. It is not something you will change.