Docker containers in user defined docker network - access only from the host

Question

I have an application that is creating a few containers in a user-defined docker network.

Currently I have forwarded (mapped) few ports from some of the containers in that network to the host machine so that I can access them from the host. The interaction between the containers (container to container) is happening via aliases that are defined in the network.

Unfortunately the map ports to the host are publicly exposed on my host machine. Is there a way that these mapped ports can be accessible only from the localhost of my host machine?

Answer 1

If you are using docker run -p [port-number]:[port-number] to forward your ports, you can use:

docker run -p 127.0.0.1:80:80 container

instead of:

docker run -p 80:80 container

By default, Docker exposes your ports on all available interfaces.

Answer 2

If you are on linux you can use iptables for that.

iptables -A INPUT -p tcp -s localhost --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Just change 8080 for the port you want and run it multiple times for each port you are exposing.

First command is "anything coming from localhost to port 8080 allow it" and second is "drop anything coming into port 8080"

This change is not permanent it will reset after you reboot, but you can save it with:

iptables-save > /etc/iptables.conf

And restore it with:

iptables-restore < /etc/iptables.conf