Docker and firewalls: How to protect your services
Are you running a firewall like ufw with docker? You might be surprised to learn that your firewall is probably not doing anything to block unwanted internet traffic from reaching your docker services. Docker modifies iptables rules to completely bypass or ignore the rules set by ufw. In this article, I will explain how to check if the services running on your server are exposed and how to protect them.
I usually begin articles, like this one, by explaining some history or back-story to provide context. But in this case, let's dive right into how to check if your services are exposed remotely.
In this section we will use netstat and nmap to check for local processes that are listening for TCP connections and to scan ports. To install them:
From the above results, we can see that we have 5 services listening for TCP connections. "Local Address" refers to the host (IP address and port number) on which the service is listening. For example, requests to "127.0.0.1:8332" will be handled by that service.
Here we see that all 5 service ports are open on any interface. But this doesn't tell us what we really want to know - are these ports exposed remotely?
/cdn.vox-cdn.com/uploads/chorus_asset/file/25415491/DSC08587.JPG)
