Docker - Exposed ports accessible from outside - iptables rules ignored

Solution 1:

Internally Docker is using iptables to forward connections to the docker host on port 8080 to the service listening on port 80 on the container. The key in your configuration is this line -

-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80

By inserting (-I) a new forward line, you can block connections from being forwarded to the container IP, in this case 172.17.0.2. Try this rule -

/sbin/iptables -I FORWARD '!' -s 123.456.789.0 -d 172.17.0.2 -p tcp --dport 80 -j DROP

Solution 2:

You can bind the port to your local machine. Then docker will not expose the port to the outside. (iptables)

docker run -p 127.0.0.1:8080:8080 some_image