DEV Community


Discussion on: Be careful with Docker ports!

rendlerdenis profile image
Denis Rendler

Hey, Kevin.

I really liked your article, especially as I got bit the same way with exactly the same ELK stack :). But I think there are a few points that might need a bit of reconsidering.
The thing is that iptables itself "is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel". And which comes by default with, I think, all Linux distros. It is just an interface between the user and the kernel. If I am not mistaken UFW is the same. Allowing an easy interface for the user to configure rules.

Given that, Docker, indeed, is using iptables to make a few magic tricks with its networking, but it is explained here: and a bit more here: and a few other scattered places in the docs. Nobody's docs are perfect :)

An improvement that I think you could do, and which helped me, is to add a rule to the DOCKER-USER chain to log and drop all packets. That way you are safe from future mistakes.
Another trick I did was to have my proxy, HAProxy in my case, run inside a container and I simply created a network between the proxy and the ELK stack. That way I no longer needed to map ports to the host anymore. Everything was contained inside the Docker network and from the host only ports 80 and 443 where allowed. Whenever I need to add a new service I just attach it to the HAProxy network and voila.

rendlerdenis profile image
Denis Rendler

Also, this option might help you:
--ip ip Default IP when binding container ports (default - click for docs

You can configure it through daemon.json located at /etc/docker/
and it will always map host ports to the if you want.

I hope it help. ;)

Forem Open with the Forem app