How to block docker-mapped ports with a firewall from outside the host without messing up docker routing inside the host?

I have a docker container running on a host with some port mapped to a port on the host.

docker run -d -p 9009:9009 someserver

I want this machine firewalled off from the internet except for 80, 443 and 22.

But I still want processes inside the host to be able to connect to 9009.

I was a little shocked to find out docker seems to completely circumvent any firewall rules for dropping packets.

I tried on centos 7 with both firewalld and iptables to block everything except 80, 443, and 22. Somehow I was still able to get at the docker port-mapped container (port 9009) from outside the host! Some solutions I found seem to mess up routing entirely for docker - either make docker containers not be able to get to the internet or whatever.

Is my scenario possible?

This seems to be asking the same question: https://security.stackexchange.com/questions/66136/docker-port-forwarding-exposure


It looks like I can bind my exposed container ports to localhost only.

docker run -d -p 127.0.0.1:9009:9009 someserver