Temporary disabling exposed ports on Docker

I would like to temporary disable some docker container ports at runitme, so without changing the image or stopping/starting the container.

I have some services running, a webclient, an authentication service a mongodb instance and also a loadbalancer, all of them in the same VM.

  • Start tor and polipo when I launch my container
  • docker-compose image export and import
  • Docker - Why is this express.js container with an exposed/published port reject connections? (using boot2docker)
  • Visual Studio Docker Tools how to force a container rebuild from scratch
  • Openresty Hello world with docker
  • VBoxManage: error: VT-x is disabled in the BIOS for all CPU modes
  • Since there is no API to modify exposed ports at runtime in docker, I have to work with iptables command.

    So I’ve built some code which disable the ports related to a particular container name passed as parameter.

    I have the following rule for the authentication server:

    -A DOCKER -d 172.18.0.16/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 8081 -j ACCEPT
    

    Which my code modify as the following:

    -A DOCKER -d 172.18.0.16/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 8081 -j DROP
    

    At this point I am expecting I can’t authenticate anymore, but I can still do it.

    At the same time if try the same code against the load balancer, everything works fine, I can’t access the URL as expected.

    These the original rules for nginx:

    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 81 -j ACCEPT
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 80 -j ACCEPT
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 443 -j ACCEPT
    

    Here the modified ones:

    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 81 -j DROP
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 80 -j DROP
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 443 -j DROP
    

    Below the output of docker ps command

    [root@sandbox-test-28 ~]# docker ps 
    CONTAINER ID        IMAGE                       COMMAND                   CREATED             STATUS              PORTS                                                               NAMES
    d007479faaf4        service-auth-nodejs         "/bin/sh -c \"/usr/bin"   2 days ago          Up 2 days           0.0.0.0:8081->8081/tcp                                              authentication-microservice
    c073989b49ce        nginx                       "/bin/bash -c /etc/ng"    2 days ago          Up 2 days           0.0.0.0:443->443/tcp, 0.0.0.0:9000->80/tcp, 0.0.0.0:10000->81/tcp   nginx-microservice
    432ea895d90a        web                         "/bin/sh -c \"/usr/bin"   2 days ago          Up 2 days           0.0.0.0:8000->8000/tcp                                              webclient-microservice
    0c8141da8c0b        mongo                       "/entrypoint.sh mongo"    2 days ago          Up 2 days           0.0.0.0:27017->27017/tcp                                            mongo-microservice
    [root@sandbox-test-28 ~]# 
    

    Am I missing something?

  • I can't run docker daemon on ubuntu 14.04 LTS (on VPS)
  • Docker (compose) fails to build container when mounting single file from official Wordpress image
  • Installing Docker on Windows Server 2016 at Google Cloud Platform
  • Docker daemon config file on boot2docker / docker-machine / Docker Toolbox
  • Docker run - User group not working as expected?
  • Understanding Docker Macvlan network
  • One Solution collect form web for “Temporary disabling exposed ports on Docker”

    The subnets in your rules are different:

    172.18.0.11/32 (authentication service)
    

    vs

    172.18.0.16/32 (nginx)
    

    So presumably, the packets for your authentication server arrive via 172.18.0.16 and are still allowed by a different rule.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.