1

I have a service running on port 3007 in Docker, it's set up like this:

services:
    api:
        ports:
        - 3007:80

I tried adding a rule to the DOCKER-USER chain to block nonlocal traffic on that port:

iptables -I DOCKER-USER -p tcp --dport 3007 ! -s 127.0.0.1 -j DROP

However, this didn't work. Looking at the rules on the DOCKER chain it seems like the forwarded ports are the the ones on the inside of the container (80 and not 3007), so I'm not sure how to go about managing access to them.

adrian
  • 113
  • 4
  • One workaround is to configure the app to run on port 3007 within the container so that the rule matches traffic to it, but I'll leave the question up since I can't do this for all my services – adrian Aug 19 '21 at 01:50
  • 3
    If you don't want the port to accept outside traffic, why did you expose it? – Michael Hampton Aug 19 '21 at 02:09
  • @MichaelHampton I need to reverse proxy some of the exposed ports, others are communicated with by applications that aren't in containers – adrian Aug 19 '21 at 02:11

1 Answers1

3

Bind the exposed port to the loopback interface.

services:
    api:
        ports:
        - "127.0.0.1:3007:80"
Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79