Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is this docker image allowed past the firewall?

I'm running a docker container that has the port 9000:9000 binding to the host, but I also have ufw enabled. The only ports I've allowed are 22, 80, 443.

So why is it that I'm able to connect to this container using the host's IP address? Shouldn't port 9000 be blocked by ufw?

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                      NAMES
14417c4f71fb        dockerui/dockerui   "/dockerui"              2 seconds ago       Up 2 seconds        0.0.0.0:9000->9000/tcp     docker_ui

root@docker:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

Aren't all ports blocked by default when you enable ufw?

like image 314
Reactgular Avatar asked Feb 20 '16 02:02

Reactgular


People also ask

Does Docker bypass firewall?

Docker Network bypasses Firewall, no option to disable Check the firewall; docker will by use "anywhere" as the source, thereby all containers are exposed to the public.

Do Docker containers have firewall?

A cloud-native Docker container firewall is able to isolate and protect workloads, application stacks, and services, even as individual containers scale up, down, or across hosts.

How do I make my Docker container accessible from network?

To make a port available to services outside of Docker, or to Docker containers which are not connected to the container's network, use the --publish or -p flag. This creates a firewall rule which maps a container port to a port on the Docker host to the outside world.


1 Answers

Docker silently modifies iptables. You can start the Docker daemon with the --iptables=false option by editing DOCKER_OPTS in /etc/default/docker

like image 52
kliew Avatar answered Sep 28 '22 20:09

kliew