How to prevent Docker from bypassing your firewall on Linux

If you’re running a service using Docker that you want open to the internet via a reverse proxy, and not via Docker’s open port, you’ll need to disable Docker’s default IPTables behavior.

For example, consider a web service that:

By default, Docker automatically opens port 3000 anyway, making your internal HTTP service available on the web on port 3000!

Here’s how to fix that:

First, add this line to your /etc/default/docker file:


(You may need to modify the existing DOCKER_OPTS if one is already configured.)

Then set "iptables" to false in your /etc/docker/daemon.json file. If that file does not exist, you can create it such that it looks something like this:

{ "iptables": false }

Finally, restart Docker

sudo service docker restart

Now, you’re free to use ufw or your firewall software of choice to manage your system’s open ports, and plug your reverse proxy of choice as you like!

I learned this information from this StackOverflow answer.