Temporary disabling exposed ports on Docker

I would like to temporary disable some docker container ports at runitme, so without changing the image or stopping/starting the container.

I have some services running, a webclient, an authentication service a mongodb instance and also a loadbalancer, all of them in the same VM.

  • Android Emulator Couchbase Replication Database not found error
  • Docker on Windows Server 2016 & microsoft-build-tools
  • How to mount volume mounted in a docker image into another docker image?
  • Vagrant docker provisioning with env variables and network
  • Bridge docker container port to host port
  • Easy moving of environments: deploybot, docker or manual grunt/gulp setup?
  • Since there is no API to modify exposed ports at runtime in docker, I have to work with iptables command.

    So I’ve built some code which disable the ports related to a particular container name passed as parameter.

    I have the following rule for the authentication server:

    -A DOCKER -d 172.18.0.16/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 8081 -j ACCEPT
    

    Which my code modify as the following:

    -A DOCKER -d 172.18.0.16/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 8081 -j DROP
    

    At this point I am expecting I can’t authenticate anymore, but I can still do it.

    At the same time if try the same code against the load balancer, everything works fine, I can’t access the URL as expected.

    These the original rules for nginx:

    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 81 -j ACCEPT
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 80 -j ACCEPT
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 443 -j ACCEPT
    

    Here the modified ones:

    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 81 -j DROP
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 80 -j DROP
    -A DOCKER -d 172.18.0.11/32 ! -i br-3ec61cf14e6e -o br-3ec61cf14e6e -p tcp -m tcp --dport 443 -j DROP
    

    Below the output of docker ps command

    [root@sandbox-test-28 ~]# docker ps 
    CONTAINER ID        IMAGE                       COMMAND                   CREATED             STATUS              PORTS                                                               NAMES
    d007479faaf4        service-auth-nodejs         "/bin/sh -c \"/usr/bin"   2 days ago          Up 2 days           0.0.0.0:8081->8081/tcp                                              authentication-microservice
    c073989b49ce        nginx                       "/bin/bash -c /etc/ng"    2 days ago          Up 2 days           0.0.0.0:443->443/tcp, 0.0.0.0:9000->80/tcp, 0.0.0.0:10000->81/tcp   nginx-microservice
    432ea895d90a        web                         "/bin/sh -c \"/usr/bin"   2 days ago          Up 2 days           0.0.0.0:8000->8000/tcp                                              webclient-microservice
    0c8141da8c0b        mongo                       "/entrypoint.sh mongo"    2 days ago          Up 2 days           0.0.0.0:27017->27017/tcp                                            mongo-microservice
    [root@sandbox-test-28 ~]# 
    

    Am I missing something?

  • What is the different between putting a separate service discovery and integrate it into the cluster machine in Docker Swarm
  • Creating HazelCast cluster running on multiple docker containers
  • JGroups doesnt form a cluster while running inside docker across multiple nodes
  • `docker-compose up` times out with UnixHTTPConnectionPool
  • JVM cant map reserved memory when running in Docker container
  • How do I enable “debug” logging of the Docker daemon? (Ubuntu 16.04)
  • One Solution collect form web for “Temporary disabling exposed ports on Docker”

    The subnets in your rules are different:

    172.18.0.11/32 (authentication service)
    

    vs

    172.18.0.16/32 (nginx)
    

    So presumably, the packets for your authentication server arrive via 172.18.0.16 and are still allowed by a different rule.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.