Comment on Docker firewall question
Max_P@lemmy.max-p.me 6 days ago
With Docker, the internal network is just a bridge interface. The reason most firewall rules don’t apply is a combination of:
- Containers have their own namespace including network namespace, so each container have a blank iptables just for them.
- For container communication, that goes through the FORWARD table, not the INPUT/OUTPUT ones.
- Docker adds its own rules to ensure that this works as expected.
The only thing that should be affected by the host firewall is the proxy service Docker uses to listen on a port on the host and send it to the container.
When using Docker, each container acts like an independent machine, and your host gets configured to act as a router. You can firewall Docker containers, the rules just need to be in the right place to work.
Quail4789@lemmy.ml 6 days ago
Thanks, just to clarify, even if I deny all forwards on the host using UFW, that still won’t have an affect on Docker. Correct?