Running docker containers only local behind csf firewall

I want to access docker containers only locally behind the csf firewall on a remote Ubuntu server. I changed the DOCKER settings options in /etc/csf/csf.conf to 1 to allow docker to change iptable rules.

If I am starting my container with -p 8000:8000, the port 8000 is exposed to the whole world (I can access the website with mydomain.com:8000, as expected, but not what I wanted). If I am starting the container with -p 127.0.0.1:8000:8000 I can't access it with mydomain.com:8000 (which is great), but in both cases calling localhost:8000 will result in an ERR_EMPTY_RESPONSE error in Chrome or curl: (52) Empty reply from server in the terminal.

Tried it with different containers and different ports. After disabling csf, it works without the empty-reply-error so is must be related to csf.

How to configure csf to expose and access docker container over specific ports only locally?

Sidenote: I am working remotely on the server with ssh [email protected] -L 8000:localhost:8000.

Solution 1:

Had the same scenario. Found that packets from lo to docker0 were being blocked by CSF's OUTPUT ruleset.

Resolved by adding "docker0" to ETH_DEVICE_SKIP, which causes CSF to add a blanket ACCEPT rule to the INPUT and OUTPUT chains for this interface. This should not be a problem since AFAIK docker0 should never be bound to a physical interface, but someone with more Docker experience might know otherwise.