Why Docker exposes my private services to the world?

If you are running Docker services relying only on a firewall like UFW or firewalld, you could have a high chance to expose your container services to the world.

Photo by Dominik Lückmann on Unsplash

Understanding iptables chains

Chain DOCKER (1 references) 
num target prot opt source destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num target prot opt source destination
1 DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
2 RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
2 RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere
Chain DOCKER (1 references) 
num target prot opt source destination
1 ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num target prot opt source destination
1 DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
2 RETURN all -- anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere
2 RETURN all -- anywhere anywhere

Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- anywhere anywhere

Iptables and DOCKER-USER chain

$ iptables -I DOCKER-USER ! -s localhost -i eth0 -j DROP
$ iptables -I DOCKER-USER -i eth0 -o docker0 -j ACCEPT

UFW and docker

-A DOCKER-USER -j RETURN -s 10.0.0.0/8 
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

Conclusion

Bioinformatician, Researcher, Developer