Don’t expose your Docker ports

Let’s say you have a couple of Docker containers that run your favorite applications. You’d like to deploy these to some random server on the interwebs, so you lock down your Ubuntu server using the default UFW firewall, launch your containers and start using your applications.

You run ufw status to make sure that everything’s locked down the way it should be. Good to go! Or?

Not necessarily. You may be exposing your Docker applications to the whole world without even knowing it. There’s a long-running issue on Github explaining why. Here’s the short version: Docker is manipulating the iptables rules behind the scenes, while UFW tells you everything’s fine. Luckily, the solution is simple. Add this snippet to the file /etc/docker/daemon.json and restart Docker:

  "iptables": false

For a Docker or DevOps expert, this is probably common knowledge. For many developers and hobby server maintainers, it’s probably not. Have this in mind when deploying Docker applications to a server that is accessible to the world.