I want to restrict my database access to 127.0.0.1
, so I executed the following command:
docker run -it mysql:5.5 -p 127.0.0.1:3306:3306 -name db.mysql
But I have some confusion...
You can see here that only the port of 127.0.0.1
will be forwarded:
; docker ps
mysql:5.5 127.0.0.1:3306->3306/tcp db.mysql
Interestingly, I cannot find this restriction in iptables:
; iptables -L
Chain FORWARD (policy DROP)
DOCKER all -- anywhere anywhere
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.112.2 tcp dpt:mysql
The source of this rule is anywhere
.
When running Docker natively on Linux, you can access host services using the IP address of the docker0 interface. From inside the container, this will be your default route. This would permit access to any ports on the host from Docker containers.
To make a port available to services outside of Docker, or to Docker containers which are not connected to the container's network, use the --publish or -p flag. This creates a firewall rule which maps a container port to a port on the Docker host to the outside world.
First, pull the image down to your host with docker pull. Now, use docker image inspect to see which ports this image has exposed. By passing it a format string, you can have inspect filter everything except the published ports. Just as you would expect, Nginx is listening on port 80.
The incoming traffic will go as next:
Incoming package to host's network -> use ip tables to forward to container
And, your restrict was not in iptables, it was in host's network, you just open 3306
bind on 127.0.0.1
, not 0.0.0.0
, so you of course not see anything in iptables. 127.0.0.1:3306:3306
means hostIp:hostPort:containerPort
.
You could confirm it with netstat -oanltp | grep 3306
to see no 0.0.0.0
was there, so no foreign host could visit your host machine, thus also could not visit your container.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With