6

I try docker with a simple webapp :

docker run -d -v $(pwd):/app -p 8080:80 image_name

I have docker listen on 8080:

tcp6 0 0 :::8080 :::*
LISTEN 13304/docker

So I can test my web app through localhost:8080

I use iptables with UFW and I deny incoming except: 80, 443 and 22

But surprisingly, if I do a netcat from the Internet to my machine on port 8080 I can have access to my web app !!

Docker must do something special because if I start socat like this :

socat TCP6-LISTEN:8080 TCP4:www.google.fr:80

I see :

tcp6 0 0 :::8080 :::*
LISTEN 11577/socat

But this time I can't connect from the outside ... UFW do the his job ...

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
kondor
  • 229
  • 2
  • 6

2 Answers2

5

Docker was just added his own iptables rules before UFW rules see https://docs.docker.com/articles/networking/ for details.

to avoid the pb I put

DOCKER_OPTS="--ip 127.0.0.1"

in my /etc/default/docker. so I bind only to localhost and it's not reachable from the outside.

kondor
  • 229
  • 2
  • 6
2

Binding to localhost breaks internal routing for me. I use 

DOCKER_OPTS="--iptables=false"

to fix this problem.

Bryan Larsen
  • 281
  • 2
  • 5