Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Docker expose a port only to localhost

I want to restrict my database access to 127.0.0.1, so I executed the following command:

docker run -it mysql:5.5 -p 127.0.0.1:3306:3306 -name db.mysql 

But I have some confusion...

You can see here that only the port of 127.0.0.1 will be forwarded:

; docker ps
mysql:5.5     127.0.0.1:3306->3306/tcp   db.mysql

Interestingly, I cannot find this restriction in iptables:

; iptables -L
Chain FORWARD (policy DROP)
DOCKER     all  --  anywhere             anywhere

Chain DOCKER (2 references)                                                                                                                                                                  
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.112.2        tcp dpt:mysql

The source of this rule is anywhere.

like image 929
KInGcC Avatar asked Sep 29 '19 07:09

KInGcC


People also ask

Can Docker access local port?

When running Docker natively on Linux, you can access host services using the IP address of the docker0 interface. From inside the container, this will be your default route. This would permit access to any ports on the host from Docker containers.

How do I map a Docker container port to a local port?

To make a port available to services outside of Docker, or to Docker containers which are not connected to the container's network, use the --publish or -p flag. This creates a firewall rule which maps a container port to a port on the Docker host to the outside world.

How do I access exposed port Docker?

First, pull the image down to your host with docker pull. Now, use docker image inspect to see which ports this image has exposed. By passing it a format string, you can have inspect filter everything except the published ports. Just as you would expect, Nginx is listening on port 80.


1 Answers

The incoming traffic will go as next:

Incoming package to host's network -> use ip tables to forward to container

And, your restrict was not in iptables, it was in host's network, you just open 3306 bind on 127.0.0.1, not 0.0.0.0, so you of course not see anything in iptables. 127.0.0.1:3306:3306 means hostIp:hostPort:containerPort.

You could confirm it with netstat -oanltp | grep 3306 to see no 0.0.0.0 was there, so no foreign host could visit your host machine, thus also could not visit your container.

like image 129
atline Avatar answered Sep 28 '22 19:09

atline