Bind docker container ports only to specific outside server address Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!How do I deploy a docker container and associated data container, including contents?UDP Traffic from outside to docker container is dropped after container restartTransparent proxying a single docker container to another docker containerSteps for limiting outside connections to docker container with iptables?Docker's iptables=false option seems to have not the desired behaviorOpen ports to Docker containersdocker containers won't connect to DNS server containerDropping external connections to Docker container with iptablesHow can I find the docker-machine network adapter name for a docker container?iptables and Docker - allow only specific port mappings
What's the purpose of writing one's academic bio in 3rd person?
Is the argument below valid?
Super Attribute Position on Product Page Magento 1
Why are there no cargo aircraft with "flying wing" design?
Are my PIs rude or am I just being too sensitive?
Letter Boxed validator
What is a Meta algorithm?
Did Kevin spill real chili?
Sorting numerically
Does surprise arrest existing movement?
Is it ethical to give a final exam after the professor has quit before teaching the remaining chapters of the course?
How do I mention the quality of my school without bragging
Storing hydrofluoric acid before the invention of plastics
What is the correct way to use the pinch test for dehydration?
Is there a documented rationale why the House Ways and Means chairman can demand tax info?
Is a manifold-with-boundary with given interior and non-empty boundary essentially unique?
What's the difference between `auto x = vector<int>()` and `vector<int> x`?
What do you call a phrase that's not an idiom yet?
How can I make names more distinctive without making them longer?
Withdrew £2800, but only £2000 shows as withdrawn on online banking; what are my obligations?
What is the longest distance a 13th-level monk can jump while attacking on the same turn?
List *all* the tuples!
Is 1 ppb equal to 1 μg/kg?
What does the "x" in "x86" represent?
Bind docker container ports only to specific outside server address
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!How do I deploy a docker container and associated data container, including contents?UDP Traffic from outside to docker container is dropped after container restartTransparent proxying a single docker container to another docker containerSteps for limiting outside connections to docker container with iptables?Docker's iptables=false option seems to have not the desired behaviorOpen ports to Docker containersdocker containers won't connect to DNS server containerDropping external connections to Docker container with iptablesHow can I find the docker-machine network adapter name for a docker container?iptables and Docker - allow only specific port mappings
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
This is the first time i address such a network "problem" to solve with docker and i need some inputs.
This is my situation:
Ubuntu 14.04 running NginX, ufw as firewall and docker containers to run a PHP backend application.
Ufw default policy is set to DROP for both INPUT and OUTPUT, as well as for FORWARD.
sysctl rule:
net.ipv4.conf.all.forwarding = 0
My need:
- a container running in daemon mode, with port 8888/tcp which accept connections from the outside but ONLY from ip 8.8.8.8 and, also, port 4444/tcp which listen from localhost
My problem:
Ufw is set to accept incoming connections on port 8888/tcp ONLY from ip 8.8.8.8. Hence, basically:
sudo ufw allow in from 8.8.8.8 to any port 8888 proto tcp
Then, i run the container with:
docker run -p 8888:8888/tcp -p 127.0.0.1:4444:4444/tcp [other options ]
Afterwards, running nmap -p 8888 45.45.45.45 from a machine which have NOT the ip = 8.8.8.8, i expect to get port filtered.
But....
Host is up (0.056s latency).
PORT STATE SERVICE
8888/tcp open unknown
I have then tried to run the container again without -p 8888:8888/tcp and then i tried to run again the nmap, and...
Host is up (0.061s latency).
PORT STATE SERVICE
8888/tcp filtered unknown
Therefore, it seems that, correct me if i am wrong, docker rules override ufw's ones.
I have then searched a way to allow incoming traffic in a container only from a specific address, and i found something like:
iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
And it worked:
PORT STATE SERVICE
8888/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds
My question is then:
is the solution above right for my case? i mean: acting like above, i am overriding ufw rule allow in from 8.8.8.8 to any port 8888 proto tcp with a docker rule that says "expose ports only if traffic comes from ip 8.8.8.8 " ... is this the right approach?
would not be better to leave ufw do the "bad work" of drop unwanted packets and then just forward traffic from filtered ports to docker? is there a way to do this?
I would avoid this solution because being an iptable rule of the DOCKER chain, that rule involves all the containers i currently have or i will have.
Thank you.
networking iptables nat port-forwarding docker
edited Jan 31 '16 at 14:42
Tombart
1,16811736
asked Aug 14 '15 at 17:09
sciakysystemsciakysystem
112
add a comment |
This is the first time i address such a network "problem" to solve with docker and i need some inputs.
This is my situation:
Ubuntu 14.04 running NginX, ufw as firewall and docker containers to run a PHP backend application.
Ufw default policy is set to DROP for both INPUT and OUTPUT, as well as for FORWARD.
sysctl rule:
net.ipv4.conf.all.forwarding = 0
My need:
- a container running in daemon mode, with port 8888/tcp which accept connections from the outside but ONLY from ip 8.8.8.8 and, also, port 4444/tcp which listen from localhost
My problem:
Ufw is set to accept incoming connections on port 8888/tcp ONLY from ip 8.8.8.8. Hence, basically:
sudo ufw allow in from 8.8.8.8 to any port 8888 proto tcp
Then, i run the container with:
docker run -p 8888:8888/tcp -p 127.0.0.1:4444:4444/tcp [other options ]
Afterwards, running nmap -p 8888 45.45.45.45 from a machine which have NOT the ip = 8.8.8.8, i expect to get port filtered.
But....
Host is up (0.056s latency).
PORT STATE SERVICE
8888/tcp open unknown
I have then tried to run the container again without -p 8888:8888/tcp and then i tried to run again the nmap, and...
Host is up (0.061s latency).
PORT STATE SERVICE
8888/tcp filtered unknown
Therefore, it seems that, correct me if i am wrong, docker rules override ufw's ones.
I have then searched a way to allow incoming traffic in a container only from a specific address, and i found something like:
iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
And it worked:
PORT STATE SERVICE
8888/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds
My question is then:
is the solution above right for my case? i mean: acting like above, i am overriding ufw rule allow in from 8.8.8.8 to any port 8888 proto tcp with a docker rule that says "expose ports only if traffic comes from ip 8.8.8.8 " ... is this the right approach?
would not be better to leave ufw do the "bad work" of drop unwanted packets and then just forward traffic from filtered ports to docker? is there a way to do this?
I would avoid this solution because being an iptable rule of the DOCKER chain, that rule involves all the containers i currently have or i will have.
Thank you.
networking iptables nat port-forwarding docker
edited Jan 31 '16 at 14:42
Tombart
1,16811736
asked Aug 14 '15 at 17:09
sciakysystemsciakysystem
112
Could you provide output ofiptables-save? When Docker starts it modifies iptables rules in order to ensure mapping to ports that should be open.
– Tombart
Jan 31 '16 at 11:12
add a comment |
This is the first time i address such a network "problem" to solve with docker and i need some inputs.
This is my situation:
Ubuntu 14.04 running NginX, ufw as firewall and docker containers to run a PHP backend application.
Ufw default policy is set to DROP for both INPUT and OUTPUT, as well as for FORWARD.
sysctl rule:
net.ipv4.conf.all.forwarding = 0
My need:
- a container running in daemon mode, with port 8888/tcp which accept connections from the outside but ONLY from ip 8.8.8.8 and, also, port 4444/tcp which listen from localhost
My problem:
Ufw is set to accept incoming connections on port 8888/tcp ONLY from ip 8.8.8.8. Hence, basically:
sudo ufw allow in from 8.8.8.8 to any port 8888 proto tcp
Then, i run the container with:
docker run -p 8888:8888/tcp -p 127.0.0.1:4444:4444/tcp [other options ]
Afterwards, running nmap -p 8888 45.45.45.45 from a machine which have NOT the ip = 8.8.8.8, i expect to get port filtered.
But....
Host is up (0.056s latency).
PORT STATE SERVICE
8888/tcp open unknown
I have then tried to run the container again without -p 8888:8888/tcp and then i tried to run again the nmap, and...
Host is up (0.061s latency).
PORT STATE SERVICE
8888/tcp filtered unknown
Therefore, it seems that, correct me if i am wrong, docker rules override ufw's ones.
I have then searched a way to allow incoming traffic in a container only from a specific address, and i found something like:
iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
And it worked:
PORT STATE SERVICE
8888/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds
My question is then:
is the solution above right for my case? i mean: acting like above, i am overriding ufw rule allow in from 8.8.8.8 to any port 8888 proto tcp with a docker rule that says "expose ports only if traffic comes from ip 8.8.8.8 " ... is this the right approach?
would not be better to leave ufw do the "bad work" of drop unwanted packets and then just forward traffic from filtered ports to docker? is there a way to do this?
I would avoid this solution because being an iptable rule of the DOCKER chain, that rule involves all the containers i currently have or i will have.
Thank you.
networking iptables nat port-forwarding docker
edited Jan 31 '16 at 14:42
Tombart
1,16811736
asked Aug 14 '15 at 17:09
sciakysystemsciakysystem
112
This is the first time i address such a network "problem" to solve with docker and i need some inputs.
This is my situation:
Ubuntu 14.04 running NginX, ufw as firewall and docker containers to run a PHP backend application.
Ufw default policy is set to DROP for both INPUT and OUTPUT, as well as for FORWARD.
sysctl rule:
net.ipv4.conf.all.forwarding = 0
My need:
- a container running in daemon mode, with port 8888/tcp which accept connections from the outside but ONLY from ip 8.8.8.8 and, also, port 4444/tcp which listen from localhost
My problem:
Ufw is set to accept incoming connections on port 8888/tcp ONLY from ip 8.8.8.8. Hence, basically:
sudo ufw allow in from 8.8.8.8 to any port 8888 proto tcp
Then, i run the container with:
docker run -p 8888:8888/tcp -p 127.0.0.1:4444:4444/tcp [other options ]
Afterwards, running nmap -p 8888 45.45.45.45 from a machine which have NOT the ip = 8.8.8.8, i expect to get port filtered.
But....
Host is up (0.056s latency).
PORT STATE SERVICE
8888/tcp open unknown
I have then tried to run the container again without -p 8888:8888/tcp and then i tried to run again the nmap, and...
Host is up (0.061s latency).
PORT STATE SERVICE
8888/tcp filtered unknown
Therefore, it seems that, correct me if i am wrong, docker rules override ufw's ones.
I have then searched a way to allow incoming traffic in a container only from a specific address, and i found something like:
iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
And it worked:
PORT STATE SERVICE
8888/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds
My question is then:
is the solution above right for my case? i mean: acting like above, i am overriding ufw rule allow in from 8.8.8.8 to any port 8888 proto tcp with a docker rule that says "expose ports only if traffic comes from ip 8.8.8.8 " ... is this the right approach?
would not be better to leave ufw do the "bad work" of drop unwanted packets and then just forward traffic from filtered ports to docker? is there a way to do this?
I would avoid this solution because being an iptable rule of the DOCKER chain, that rule involves all the containers i currently have or i will have.
Thank you.
networking iptables nat port-forwarding docker
networking iptables nat port-forwarding docker
edited Jan 31 '16 at 14:42
Tombart
1,16811736
asked Aug 14 '15 at 17:09
sciakysystemsciakysystem
112
edited Jan 31 '16 at 14:42
Tombart
1,16811736
asked Aug 14 '15 at 17:09
sciakysystemsciakysystem
112
edited Jan 31 '16 at 14:42
Tombart
1,16811736
edited Jan 31 '16 at 14:42
Tombart
1,16811736
edited Jan 31 '16 at 14:42
Tombart
1,16811736
1,16811736
asked Aug 14 '15 at 17:09
sciakysystemsciakysystem
112
asked Aug 14 '15 at 17:09
sciakysystemsciakysystem
112
asked Aug 14 '15 at 17:09
sciakysystemsciakysystem
112
112
Could you provide output ofiptables-save? When Docker starts it modifies iptables rules in order to ensure mapping to ports that should be open.
– Tombart
Jan 31 '16 at 11:12
add a comment |
Could you provide output ofiptables-save? When Docker starts it modifies iptables rules in order to ensure mapping to ports that should be open.
– Tombart
Jan 31 '16 at 11:12
Could you provide output of
iptables-save? When Docker starts it modifies iptables rules in order to ensure mapping to ports that should be open.– Tombart
Jan 31 '16 at 11:12
Could you provide output of
iptables-save? When Docker starts it modifies iptables rules in order to ensure mapping to ports that should be open.– Tombart
Jan 31 '16 at 11:12
add a comment |
2 Answers
2
active
oldest
votes
On Linux, both ufw and docker's rules are implemented on top of netfilter. So is iptables. So it is not possible to get ufw to do some things and get docker rules to do others - all those things will be done by the single underlying netfilter subsystem.
The command iptables-save is useful to dump out everything that has been configured for netfilter, including docker rules and ufw, and then (with some effort) you can follow through the chains and see what it is doing.
answered Aug 17 '15 at 13:54
BryanBryan
27417
add a comment |
Note that when Docker daemon starts, it adds DOCKER chain to *filter and *nat rules. If you clear all iptables rules afterwards, using e.g. ufw, you might break expected behaviour. When you start a container, a FORWARD rules is added to DOCKER chain. Docker is running command like this:
iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8888 -j ACCEPT
However, this won't open any port to the world, because Docker is not modifying INPUT rules of iptables. So, this means that there's something wrong with your ufw rules.
If you don't like Docker modifying your iptables rules, you can disable it when in Docker service configuration by adding --iptables=false.
answered Jan 31 '16 at 11:29
TombartTombart
1,16811736
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f714276%2fbind-docker-container-ports-only-to-specific-outside-server-address%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
On Linux, both ufw and docker's rules are implemented on top of netfilter. So is iptables. So it is not possible to get ufw to do some things and get docker rules to do others - all those things will be done by the single underlying netfilter subsystem.
The command iptables-save is useful to dump out everything that has been configured for netfilter, including docker rules and ufw, and then (with some effort) you can follow through the chains and see what it is doing.
answered Aug 17 '15 at 13:54
BryanBryan
27417
add a comment |
On Linux, both ufw and docker's rules are implemented on top of netfilter. So is iptables. So it is not possible to get ufw to do some things and get docker rules to do others - all those things will be done by the single underlying netfilter subsystem.
The command iptables-save is useful to dump out everything that has been configured for netfilter, including docker rules and ufw, and then (with some effort) you can follow through the chains and see what it is doing.
answered Aug 17 '15 at 13:54
BryanBryan
27417
add a comment |
On Linux, both ufw and docker's rules are implemented on top of netfilter. So is iptables. So it is not possible to get ufw to do some things and get docker rules to do others - all those things will be done by the single underlying netfilter subsystem.
The command iptables-save is useful to dump out everything that has been configured for netfilter, including docker rules and ufw, and then (with some effort) you can follow through the chains and see what it is doing.
answered Aug 17 '15 at 13:54
BryanBryan
27417
On Linux, both ufw and docker's rules are implemented on top of netfilter. So is iptables. So it is not possible to get ufw to do some things and get docker rules to do others - all those things will be done by the single underlying netfilter subsystem.
The command iptables-save is useful to dump out everything that has been configured for netfilter, including docker rules and ufw, and then (with some effort) you can follow through the chains and see what it is doing.
answered Aug 17 '15 at 13:54
BryanBryan
27417
answered Aug 17 '15 at 13:54
BryanBryan
27417
answered Aug 17 '15 at 13:54
BryanBryan
27417
answered Aug 17 '15 at 13:54
BryanBryan
27417
27417
add a comment |
add a comment |
Note that when Docker daemon starts, it adds DOCKER chain to *filter and *nat rules. If you clear all iptables rules afterwards, using e.g. ufw, you might break expected behaviour. When you start a container, a FORWARD rules is added to DOCKER chain. Docker is running command like this:
iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8888 -j ACCEPT
However, this won't open any port to the world, because Docker is not modifying INPUT rules of iptables. So, this means that there's something wrong with your ufw rules.
If you don't like Docker modifying your iptables rules, you can disable it when in Docker service configuration by adding --iptables=false.
answered Jan 31 '16 at 11:29
TombartTombart
1,16811736
add a comment |
Note that when Docker daemon starts, it adds DOCKER chain to *filter and *nat rules. If you clear all iptables rules afterwards, using e.g. ufw, you might break expected behaviour. When you start a container, a FORWARD rules is added to DOCKER chain. Docker is running command like this:
iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8888 -j ACCEPT
However, this won't open any port to the world, because Docker is not modifying INPUT rules of iptables. So, this means that there's something wrong with your ufw rules.
If you don't like Docker modifying your iptables rules, you can disable it when in Docker service configuration by adding --iptables=false.
answered Jan 31 '16 at 11:29
TombartTombart
1,16811736
add a comment |
Note that when Docker daemon starts, it adds DOCKER chain to *filter and *nat rules. If you clear all iptables rules afterwards, using e.g. ufw, you might break expected behaviour. When you start a container, a FORWARD rules is added to DOCKER chain. Docker is running command like this:
iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8888 -j ACCEPT
However, this won't open any port to the world, because Docker is not modifying INPUT rules of iptables. So, this means that there's something wrong with your ufw rules.
If you don't like Docker modifying your iptables rules, you can disable it when in Docker service configuration by adding --iptables=false.
answered Jan 31 '16 at 11:29
TombartTombart
1,16811736
Note that when Docker daemon starts, it adds DOCKER chain to *filter and *nat rules. If you clear all iptables rules afterwards, using e.g. ufw, you might break expected behaviour. When you start a container, a FORWARD rules is added to DOCKER chain. Docker is running command like this:
iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 172.17.0.2 --dport 8888 -j ACCEPT
However, this won't open any port to the world, because Docker is not modifying INPUT rules of iptables. So, this means that there's something wrong with your ufw rules.
If you don't like Docker modifying your iptables rules, you can disable it when in Docker service configuration by adding --iptables=false.
answered Jan 31 '16 at 11:29
TombartTombart
1,16811736
answered Jan 31 '16 at 11:29
TombartTombart
1,16811736
answered Jan 31 '16 at 11:29
TombartTombart
1,16811736
answered Jan 31 '16 at 11:29
TombartTombart
1,16811736
1,16811736
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f714276%2fbind-docker-container-ports-only-to-specific-outside-server-address%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Could you provide output of
iptables-save? When Docker starts it modifies iptables rules in order to ensure mapping to ports that should be open.– Tombart
Jan 31 '16 at 11:12