0

I'm using docker-compose to deploy my app.

I want to access the deployment database from my development machine.

Is there a way to expose a port with a source IP address limit? Like what happens in advanced firewalls port forwarding. I mean, I want to map my database port to something like 0.0.0.0:1234, and only my IP can connect to that.

Currently, I exposed the ports to 127.0.0.1:1234 and used ssh port mapping to access that, but all running applications on that server and anyone who has ssh access to the server may connect to that.

  db:
    #....
    ports:
      - "127.0.0.1:1234:5432"
#....
 

ssh -L 1234:127.0.0.1:1234 [email protected]
Improve this question

1 Answer 1

Reset to default
0

I'd start by not depending on network policies to secure an application, this is how many attackers are easily able to pivot their attack once they find a single vulnerability to get behind the firewall. Instead, each app should have it's own authentication requirements, encrypted communications, etc. to eliminate the concern of who can access what port.

That being said, to configure the firewall for docker published ports, you need the DOCKER-USER table, and conntrack to identify the original port on the host (rather than the port of the container). And you insert rules in this from last to first since there's a default rule already in there to accept everything. For example, to allow port 5000

  # drop external requests by default
  iptables -I DOCKER-USER -j DROP
  # allow existing requests
  iptables -I DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
  # allow inter-container requests
  iptables -I DOCKER-USER -i br+ -j RETURN
  # allow request from docker to external
  iptables -I DOCKER-USER -i docker+ -j RETURN
  # allow anything to host port 5000
  iptables -I DOCKER-USER -p tcp -m conntrack --ctorigdstport 5000 -j RETURN
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .