Temporary disabling exposed ports on Docker

I would like to temporary disable some docker container ports at runitme, so without changing the image or stopping/starting the container.

I have some services running, a webclient, an authentication service a mongodb instance and also a loadbalancer, all of them in the same VM.

  • context or workdir for docker-compose
  • How to use the official docker elasticsearch container?
  • jenkins and docker-build-step-plugin configuration
  • Scaling mysql in Docker
  • Spring Bean injection fails on OpenShift
  • Automatically Start Services in Docker Container
  • Since there is no API to modify exposed ports at runtime in docker, I have to work with iptables command.

    So I’ve built some code which disable the ports related to a particular container name passed as parameter.

    I have the following rule for the authentication server:

    -A DOCKER -d 172.18.0.16/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 8081 -j ACCEPT
    

    Which my code modify as the following:

    -A DOCKER -d 172.18.0.16/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 8081 -j DROP
    

    At this point I am expecting I can’t authenticate anymore, but I can still do it.

    At the same time if try the same code against the load balancer, everything works fine, I can’t access the URL as expected.

    These the original rules for nginx:

    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 81 -j ACCEPT
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 80 -j ACCEPT
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 443 -j ACCEPT
    

    Here the modified ones:

    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 81 -j DROP
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 80 -j DROP
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 443 -j DROP
    

    Below the output of docker ps command

    [root@sandbox-test-28 ~]# docker ps 
    CONTAINER ID        IMAGE                       COMMAND                   CREATED             STATUS              PORTS                                                               NAMES
    d007479faaf4        service-auth-nodejs         "/bin/sh -c \"/usr/bin"   2 days ago          Up 2 days           0.0.0.0:8081->8081/tcp                                              authentication-microservice
    c073989b49ce        nginx                       "/bin/bash -c /etc/ng"    2 days ago          Up 2 days           0.0.0.0:443->443/tcp, 0.0.0.0:9000->80/tcp, 0.0.0.0:10000->81/tcp   nginx-microservice
    432ea895d90a        web                         "/bin/sh -c \"/usr/bin"   2 days ago          Up 2 days           0.0.0.0:8000->8000/tcp                                              webclient-microservice
    0c8141da8c0b        mongo                       "/entrypoint.sh mongo"    2 days ago          Up 2 days           0.0.0.0:27017->27017/tcp                                            mongo-microservice
    [root@sandbox-test-28 ~]# 
    

    Am I missing something?

  • Problems running kapacitor localinstall inside dockerfile
  • consumer: Cannot connect to amqp://user:**@localhost:5672//: [Errno 111] Connection refused
  • Rails 5 Regular Tasks Without Cron
  • Can't connect to mongodb docker container from another container
  • Storing different Docker Images in single Docker repository
  • Ansible deploys Docker container to wrong Vagrant VM
  • One Solution collect form web for “Temporary disabling exposed ports on Docker”

    The subnets in your rules are different:

    172.18.0.11/32 (authentication service)
    

    vs

    172.18.0.16/32 (nginx)
    

    So presumably, the packets for your authentication server arrive via 172.18.0.16 and are still allowed by a different rule.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.