By default docker will override the "Uncomplicated Firewall" (UFW) rules, it is important to be aware of this so that you do not accidentally expose your docker containers to the world.
If you had UFW configured to block port 3000, then you would be forgiven for assuming our docker app would also be blocked.
docker run -d -p 3000:5000 training/webapp python app.py
However, docker adds rules to IP tables directly. This bypasses UFW which causes our app to be exposed to the world.
The problem is that our port mapping tag exposes our app:
Restricting access to localhost is a simple change:
This binds port 5000 inside the container to port 3000 on the localhost or 127.0.0.1 interface on the host machine.
Our app is now blocked from external traffic!
GCP, AWS and even OVH all have external firewalls that sit infront of the server. Leveraging cloud based firewalls in addition to UFW is the best way to solve the issue.