this post was submitted on 07 Dec 2025
97 points (92.9% liked)

Selfhosted

53567 readers
507 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
97
Docker security (lemmy.zip)
submitted 3 days ago* (last edited 3 days ago) by jobbies@lemmy.zip to c/selfhosted@lemmy.world
46 comments fedilink hide all child comments
 

You're probably already aware of this, but if you run Docker on linux and use ufw or firewalld - it will bypass all your firewall rules. It doesn't matter what your defaults are or how strict you are about opening ports; Docker has free reign to send and receive from the host as it pleases.

If you are good at manipulating iptables there is a way around this, but it also affects outgoing traffic and could interfere with the bridge. Unless you're a pointy head with a fetish for iptables this will be a world of pain, so isn't really a solution.

There is a tool called ufw-docker that mitigates this by manipulating iptables for you. I was happy with this as a solution and it used to work well on my rig, but for some unknown reason its no-longer working and Docker is back to doing its own thing.

Am I missing an obvious solution here?

It seems odd for a popular tool like Docker - that is also used by enterprise - not to have a pain-free way around this.

you are viewing a single comment's thread
view the rest of the comments
[–] mhzawadi@lemmy.horwood.cloud 33 points 3 days ago (4 children)

Docker by default will bind exposed ports to all IPs, but you can override this by setting an IP on the port exposed so thet a local only server is only accessable on 127.0.0.1

I do this with things that should go down my VPN only

https://docs.docker.com/reference/compose-file/services/#ports

[–] dan@upvote.au 24 points 3 days ago* (last edited 3 days ago) (1 children)

you can override this by setting an IP on the port exposed so thet a local only server is only accessable on 127.0.0.1

Also, if the Docker container only has to be accessed from another Docker container, you don't need to expose a port at all. Docker containers can reach other Docker containers in the same compose stack by hostname.

[–] tofu@lemmy.nocturnal.garden 10 points 2 days ago

Also works cross stack if you assign the containers the same network.

[–] jobbies@lemmy.zip 3 points 3 days ago (2 children)

That might do the trick. Would you mind giving an example?

[–] tux7350@lemmy.world 11 points 3 days ago (1 children)

Something like this. This is a compose.yml that only allows ips from the local host 8080 to connect to the container port 80.

services:
  webapp:
    image: nginx:latest
    container_name: local_nginx
    ports:
      - "127.0.0.1:8080:80"
[–] jobbies@lemmy.zip 1 points 2 days ago (1 children)

Ahh. Then route it through the firewall/pass it to a reverse proxy?

[–] tux7350@lemmy.world 7 points 2 days ago (1 children)

Well if your reverse proxy is also inside of a container, you dont need to expose the port at all. As long as the containers are in the same docker network then they can communicate.

If your reverse proxy is not inside a docker container, then yes this method would work to prevent clients from connecting to a docker container.

[–] jobbies@lemmy.zip 1 points 2 days ago (1 children)

Thanks, given me something to think about.

[–] tux7350@lemmy.world 5 points 2 days ago

Course, feel free to DM if you have questions.

This is a common setup. Have a firewall block all traffic. Use docker to punch a hole through the firewall and expose only 443 to the reverse proxy. Now any container can be routed through the reverse proxy as long as the container is on the same docker network.

If you define no network, the containers are put into a default bridge network, use docker inspect to see the container ips.

Here is an example of how to define a custom docker network called "proxy_net" and statically set each container ip.

networks:
  proxy_net:
    driver: bridge
    ipam:
      config:
        - subnet: 172.28.0.0/16

services:
  app1:
    image: nginx:latest
    container_name: app1
    networks:
      proxy_net:
        ipv4_address: 172.28.0.10
    ports:
      - "8080:80"

  whoami:
    image: containous/whoami:latest
    container_name: whoami
    networks:
      proxy_net:
        ipv4_address: 172.28.0.11

Notice how "who am I" is not exposed at all. The nginx container can now serve the whoami container with the proper config, pointing at 172.28.0.11.

[–] themachine@lemmy.world 6 points 3 days ago

Instead of 8080:8080 port mapping you do 127.0.0.1:8080:8080

[–] jobbies@lemmy.zip 1 points 3 days ago (1 children)

That might do the trick. Would you mind giving an example?

[–] mhzawadi@lemmy.horwood.cloud 8 points 2 days ago (1 children)

sure, you can see below that port 53 is only on a secondary IP I have on my docker host.

***
services:
  pihole01:
    image: pihole/pihole:latest
    container_name: pihole01
    ports:
      - "8180:80/tcp"
      - "9443:443/tcp"
      - "192.168.1.156:53:53/tcp" # this will only bind to that IP
      - "192.168.1.156:53:53/udp" # this will only bind to that IP
      - "192.168.1.156:67:67/udp" # this will only bind to that IP
    environment:
      TZ: 'Europe/London'
      FTLCONF_webserver_api_password: 'mysecurepassword'
      FTLCONF_dns_listeningMode: 'all'
    dns:
      - '127.0.0.1'
      - '192.168.1.1'
    restart: unless-stopped
    labels:
        - "traefik.http.routers.pihole_primary.rule=Host(`dns01.example.com`)"
        - "traefik.http.routers.pihole_primary.service=pihole_primary"
        - "traefik.http.services.pihole_primary.loadbalancer.server.port=80"
[–] jobbies@lemmy.zip 2 points 2 days ago

Thanks, I'm embarrassed that I didn't know about this already 😅

[–] bjoern_tantau@swg-empire.de -1 points 3 days ago

Yeah, leaving unwanted ports open is a configuration problem. A firewall gives you just the opportunity to fuck up twice.