Running docker containers only local behind csf firewall
I want to access docker containers only locally behind the csf firewall on a remote Ubuntu server. I changed the DOCKER
settings options in /etc/csf/csf.conf
to 1
to allow docker to change iptable rules.
If I am starting my container with -p 8000:8000
, the port 8000
is exposed to the whole world (I can access the website with mydomain.com:8000
, as expected, but not what I wanted). If I am starting the container with -p 127.0.0.1:8000:8000
I can't access it with mydomain.com:8000
(which is great), but in both cases calling localhost:8000
will result in an ERR_EMPTY_RESPONSE
error in Chrome or curl: (52) Empty reply from server
in the terminal.
Tried it with different containers and different ports. After disabling csf, it works without the empty-reply-error so is must be related to csf.
How to configure csf to expose and access docker container over specific ports only locally?
Sidenote: I am working remotely on the server with ssh [email protected] -L 8000:localhost:8000
.
Solution 1:
Had the same scenario. Found that packets from lo to docker0 were being blocked by CSF's OUTPUT ruleset.
Resolved by adding "docker0" to ETH_DEVICE_SKIP, which causes CSF to add a blanket ACCEPT rule to the INPUT and OUTPUT chains for this interface. This should not be a problem since AFAIK docker0 should never be bound to a physical interface, but someone with more Docker experience might know otherwise.