How do I prevent redirected docker ports from being open to the outside world?

Question

I have several web services in different containers and I redirected 80 ports of each server to another port on the host server. (container 1 80 -> 8003, container 2 80 -> 8004, container 3 80 -> 8005) I want to prevent access to these ports except the preconfigured ip list

I've added iptables rules to the "docker-user" chain as follows;

-A INPUT -s 212.154.74.194/32 -p tcp -j ACCEPT //accept all from this ip
-A INPUT -s 185.22.208.0/25 -p tcp -j ACCEPT //accept all from this ip
-A INPUT -p tcp -m tcp --dport 8003 -j DROP //block anyone except allowed ips 
-A INPUT -p tcp -m tcp --dport 8004 -j DROP //block anyone except allowed ips
-A INPUT -p tcp -m tcp --dport 8005 -j DROP //block anyone except allowed ips

But it doesn't work. Routed ports can still be accessed from the outside. I don't know what I did wrong. How can I block access to routed ports?

Answer 1

Seems like the From docker docs answers your question pretty exhaustively:

By default, all external source IPs are allowed to connect to the Docker daemon. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, the following rule restricts external access to all IP addresses except 192.168.1.1:

$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP

To allow specific subnet:

iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP

Bonus: you can also limit connections entirely to localhost: docker run -p 127.0.0.1:80:8003 should automatically restrict the access to localhost.

Alternatively with docker compose:

webapp:
    image: image_name
    ports:
    - "127.0.0.1:80:8003"