Bypass the Docker –iptables limitations

By default Docker daemon(dockerd) starts in an ‘open’ mode where all the advertised ports from docker are open for access from internet NO MATTER if the Linux system has a firewall that limits the access. That is because dockerd does give access to the ports at a lower level which ignored any firewall.
In order to be able to limit access to advertised ports on a docker server using a normal Linux firewall like UFW, dockerd needs to be started with the option:
eg. In Systemd start/stop script:(/etc/systemd/system/multi-user.target.wants/docker.service)

ExecStart=/usr/bin/dockerd --iptables=false -H fd:// --containerd=/run/containerd/containerd.sock

BUT this method does have some drawbacks: It prevents the containers to issue a new network connection to Internet from within the containers.
That can be very debilitating for some containers. One of the solution to this limitation is to do the following:
Reference: https://docs.docker.com/network/bridge/


network_mode: bridge

to the docker-compose.yml to each service in containers that are started by compose.

Leave a Reply