$ cat /etc/issue
Before using docker in ubuntu, open ports are usually be limited by iptable and it’s safe and reliable.
I’m also very confident to use this tool to configure the firewall.
Like Mysql,Redis,Elasticsearch, service machines are usually been deployed in internal network. So i have never consider about the problem that ports will exposed without authentication.
One day after deploying a picture storage service by docker container.
I ban its port in iptable list on test server machine which can be visit in external network.
It looks like this:
$ docker run --name=redis-app -d -p 6379:6379 redis:3.2.1
Docker will start a single redis container and binds its port to the host.
At this time, redis can be connected anywhere.
# Reject all request to the 6379 port
# Just allow local access
# Save the change
You will find that iptable doesn’t work for this port !!
Anyone can still connect to this redis !!
Let’s check the iptable.
$ sudo iptables -L DOCKER
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:6379
Cancel the docker to modify iptables permissions
$ sudo vim /etc/default/docker
Add this option at the bottom
$ sudo service docker restart