How to block docker-mapped ports with a firewall from outside the host without messing up docker routing inside the host?

networking docker firewall iptables firewalld

I have a docker container running on a host with some port mapped to a port on the host.

docker run -d -p 9009:9009 someserver

I want this machine firewalled off from the internet except for 80, 443 and 22.

But I still want processes inside the host to be able to connect to 9009.

I was a little shocked to find out docker seems to completely circumvent any firewall rules for dropping packets.

I tried on centos 7 with both firewalld and iptables to block everything except 80, 443, and 22. Somehow I was still able to get at the docker port-mapped container (port 9009) from outside the host! Some solutions I found seem to mess up routing entirely for docker - either make docker containers not be able to get to the internet or whatever.

Is my scenario possible?

This seems to be asking the same question: https://security.stackexchange.com/questions/66136/docker-port-forwarding-exposure


It looks like I can bind my exposed container ports to localhost only.

docker run -d -p 127.0.0.1:9009:9009 someserver

Related

Why is VLC slower than MPV/MPlayer?
Using ' (' (space followed by parenthesis) as field separator in awk
Windows 7 Library Location Limit
How to check if an object is not of a particular type?
How to use regex to parse a number from HTML?
What does "new int(100)" do?
Equivalence of Rails console for Node.js
Suffix Array Algorithm
orderBy two fields (one in reverse)
How to render thin fonts more smoothly in CSS 3 on Windows?
Superscript and subscript axis labels in ggplot2 [duplicate]
What's the idiomatic way to append a slice to a vector?