I've been trying to find a way to ensure containers selectively are only accessible from the LAN that the (Linux) docker host is part of. I've seen this question asked/answered on Reddit, Stack, and some random other sites. They simply state when you publish ports to include the localhost address in your compose yaml like:
ports:
- 127.0.0.1:8080:8080
This makes sense I suppose but after implementing that, this what I see in iptables created by docker:
Chain DOCKER (5 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.22.0.2 tcp dpt:8080
And when I forward the port on my gateway it can be accessed outside the LAN
I've seen others point to this page that shows how to restrict all containers: https://docker-docs.netlify.app/network/iptables/ but I don't think (?) that option will work for me because I want to selectively control which containers are restricted.
I also see mention of disabling Docker's ability to add rules, but since the docs don't recommend that I'd rather avoid it if possible.
Possibly relevant info: Ubuntu server 22, containers using default (bridge) network mode, ufw is installed/active.