Don’t expose your Docker ports

Let’s say you have a couple of Docker containers that run your favorite applications. You’d like to deploy these to some random server on the interwebs, so you lock down your Ubuntu server using the default UFW firewall, launch your containers and start using your applications. You run ufw status to make sure that everything’s locked down the way it should be. Good to go! Or?

Not necessarily. You may be exposing your Docker applications to the whole world without even knowing it. There’s a long-running issue on Github explaining why. Here’s the short version: Docker is manipulating the iptables rules behind the scenes, while UFW tells you everything’s fine. Luckily, the solution is simple. Add this snippet to the file /etc/docker/daemon.json and restart Docker:

{
  "iptables": false
}

For a Docker or DevOps expert, this is probably common knowledge. For many developers and hobby server maintaners it’s probably not. Have this in mind when deploying Docker applications to a server that is accessible to the world.

Receive a weekly update in your inbox

I'd very much appreciate it if you'd be interested in getting an email delivered directly to your inbox every Sunday morning at 9AM with a summary of my tech related blog posts from the last week. I will not in any way use your email address for anything else. That's a promise.

Leave a Comment