During installation of Docker on Linux, the service makes modifications to iptables that allow Docker to bypass the host firewall, exposing container ports even without an explicit rule on the firewall.
Many solutions have been proposed for this but none of them are entirely satisfying. For example, a common recommendation is to prevent Docker from altering iptables by placing a daemon.json file under /etc/docker:
{
"iptables": false
}The problem with this is that your docker containers will no longer be able to connect to anything outside of the host. There have been a number of different fixes for this shorcoming, but none have worked for every container on my Ubuntu 18.04 hosts.
For containerized web applications like portainer or pgadmin4 that are better served up through a web proxy such as nginx anyway, the more straightforward answer is to only publish the container's ports on the localhost (127.0.0.1) interface rather Docker's default of all interfaces (0.0.0.0).
In my updated pgadmin4 start script, for example, I use the following directive to expose its web port:
-p 127.0.0.1:5050:80I then use nginx to proxy that local port for remote users:
location / {
proxy_pass http://localhost:5050/;
}
Non-web applications like the databases postqresql are more problematic, as proxing them is much more involved. Fortunately most services will allow you to restrict access by network subnet or host address. Here's an example from a postgresql pg_hba.conf configuration:
# IPv4 remote connections
# host all all 0.0.0.0/24 md5
host all all 10.1.1.0/24 md5
host all all 172.17.0.0/16 md5
Some kind of edge firewall as an additional layer of protection is always recommended if a host is going to be accessible from the Internet, but not having an effective host firewall definitely sucks.