how to block external access to docker container linux centos 7 - Stack Overflow (https://cdn.sstatic.net/Sites/stackoverflow/Img/favicon.ico?v=ec617d715196) (https://cdn.sstatic.net/Sites/stackoverflow/Img/apple-touch-icon.png?v=c78bd457575a) (https://cdn.sstatic.net/Sites/stackoverflow/Img/apple-touch-icon.png?v=c78bd457575a) (Stack Overflow) (/opensearch.xml) (https://stackoverflow.com/questions/58930966/how-to-block-external-access-to-docker-container-linux-centos-7) (https://cdn.sstatic.net/Shared/stacks.css?v=bd2aba62c5a4) (https://cdn.sstatic.net/Sites/stackoverflow/primary.css?v=7d8876444382) (Feed for question 'how to block external access to docker container linux centos 7') (/feeds/question/58930966) (https://cdn.sstatic.net/Shared/Channels/channels.css?v=5981bb1a5bd7)  (https://accounts.google.com/gsi/style)  (site logo) Join Stack Overflow    By clicking “Sign up”, you agree to our (/legal/terms-of-service/public) terms of service and acknowledge you have read our (/legal/privacy-policy) privacy policy .  (9b9d1ff1208457cf29de4d03e17fc06b55f301e0c5c48e7398c73e63b318268a) (1) (2.0)      Sign up with Google    Sign up with GitHub     OR (9b9d1ff1208457cf29de4d03e17fc06b55f301e0c5c48e7398c73e63b318268a) (1) () () () () () () Email   Password (8+ characters (at least 1 letter & 1 number))      Sign up      Already have an account? (/users/login) Log in         (9b9d1ff1208457cf29de4d03e17fc06b55f301e0c5c48e7398c73e63b318268a) ()     Skip to main content     (https://stackoverflow.com) Stack Overflow  (https://stackoverflow.co/) About  Products   (https://stackoverflow.co/teams/ai/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=top-nav-bar&utm_content=overflowai) OverflowAI    (https://stackoverflow.co/teams/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=top-nav&utm_content=stack-overflow-for-teams) Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers   (https://stackoverflow.co/advertising/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=top-nav&utm_content=stack-overflow-advertising) Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand   (https://stackoverflow.co/teams/ai/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=top-nav&utm_content=overflow-ai) OverflowAI GenAI features for Teams   (https://stackoverflow.co/api-solutions/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=top-nav&utm_content=overflow-api) OverflowAPI Train & fine-tune LLMs   (https://stackoverflow.co/labs/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=top-nav&utm_content=labs) Labs The future of collective knowledge sharing   (https://stackoverflow.co/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=top-nav&utm_content=about-the-company) About the company (https://stackoverflow.blog/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=top-nav&utm_content=blog) Visit the blog    (Search…) ()    Loading…          (https://stackoverflow.com) current community        (https://stackoverflow.com) (Stack Overflow)  Stack Overflow    (https://stackoverflow.com/help) help (https://chat.stackoverflow.com/?tab=site&host=stackoverflow.com) chat     (https://meta.stackoverflow.com) (Meta Stack Overflow)  Meta Stack Overflow      your communities   (https://stackoverflow.com/users/signup?ssrc=site_switcher&returnurl=https%3a%2f%2fstackoverflow.com%2fquestions%2f58930966%2fhow-to-block-external-access-to-docker-container-linux-centos-7) Sign up or (https://stackoverflow.com/users/login?ssrc=site_switcher&returnurl=https%3a%2f%2fstackoverflow.com%2fquestions%2f58930966%2fhow-to-block-external-access-to-docker-container-linux-centos-7) log in to customize your list.   (https://stackexchange.com/sites) more stack exchange communities  (https://stackoverflow.blog) company blog      (Click to show search)     (https://stackoverflow.com/users/login?ssrc=head&returnurl=https%3a%2f%2fstackoverflow.com%2fquestions%2f58930966%2fhow-to-block-external-access-to-docker-container-linux-centos-7) Log in  (https://stackoverflow.com/users/signup?ssrc=head&returnurl=https%3a%2f%2fstackoverflow.com%2fquestions%2f58930966%2fhow-to-block-external-access-to-docker-container-linux-centos-7) Sign up      Let's set up your homepage Select a few topics you're interested in:   python javascript c# reactjs java android html flutter c++ node.js typescript css r php angular next.js spring-boot machine-learning sql excel ios azure docker  Or search from our full list:    (Search)        javascript  python  java  c#  php  android  html  jquery  c++  css  ios  sql  mysql  r  reactjs  node.js  arrays  c  asp.net  json  python-3.x  .net  ruby-on-rails  sql-server  swift  django  angular  objective-c  excel  pandas  angularjs  regex  typescript  ruby  linux  ajax  iphone  vba  xml  laravel  spring  asp.net-mvc  database  wordpress  string  flutter  postgresql  mongodb  wpf  windows  amazon-web-services  xcode  bash  git  oracle-database  spring-boot  dataframe  azure  firebase  list  multithreading  docker  vb.net  react-native  eclipse  algorithm  powershell  macos  visual-studio  numpy  image  forms  scala  function  vue.js  performance  twitter-bootstrap  selenium  winforms  kotlin  loops  express  dart  hibernate  sqlite  matlab  python-2.7  shell  rest  apache  entity-framework  android-studio  csv  maven  api  linq  qt  dictionary  unit-testing  facebook  asp.net-core  tensorflow  apache-spark  file  swing  class  unity-game-engine  sorting  date  authentication  go  symfony  t-sql  opencv  matplotlib  .htaccess  google-chrome  for-loop  datetime  codeigniter  http  perl  validation  sockets  google-maps  object  uitableview  xaml  oop  if-statement  visual-studio-code  cordova  ubuntu  web-services  email  android-layout  github  elasticsearch  spring-mvc  kubernetes  selenium-webdriver  ms-access  user-interface  parsing  ggplot2  pointers  machine-learning  google-sheets  c++11  security  flask  google-apps-script  ruby-on-rails-3  templates  nginx  variables  exception  sql-server-2008  gradle  debugging  tkinter  listview  delphi  jpa  asynchronous  pdf  web-scraping  haskell  jsp  ssl  amazon-s3  google-cloud-platform  jenkins  testing  xamarin  wcf  npm  batch-file  generics  ionic-framework  network-programming  unix  recursion  google-app-engine  mongoose  visual-studio-2010  .net-core  android-fragments  assembly  animation  math  next.js  session  svg  hadoop  intellij-idea  curl  django-models  join  laravel-5  rust  winapi  url  heroku  http-redirect  tomcat  google-cloud-firestore  inheritance  webpack  keras  image-processing  gcc  asp.net-mvc-4  web  logging  dom  swiftui  matrix  pyspark  actionscript-3  button  post  optimization  firebase-realtime-database  jquery-ui  iis  cocoa  xpath  d3.js  javafx  firefox  internet-explorer  xslt  caching  select  asp.net-mvc-3  opengl  events  asp.net-web-api  plot  dplyr  magento  encryption  search  stored-procedures  amazon-ec2  ruby-on-rails-4  memory  canvas  audio  multidimensional-array  jsf  random  vector  cookies  redux  facebook-graph-api  input  flash  xamarin.forms  indexing  arraylist  ipad  cocoa-touch  data-structures  video  apache-kafka  model-view-controller  serialization  jdbc  woocommerce  routes  razor  azure-devops  awk  servlets  mod-rewrite  beautifulsoup  docker-compose  excel-formula  iframe  filter  aws-lambda  design-patterns  text  django-rest-framework  visual-c++  cakephp  mobile  android-intent  react-hooks  struct  methods  groovy  mvvm  ssh  lambda  checkbox  ecmascript-6  google-chrome-extension  time  grails  installation  sharepoint  cmake  shiny  spring-security  jakarta-ee  android-recyclerview  plsql  core-data  types  meteor  android-activity  sed  bootstrap-4  websocket  activerecord  graph  replace  scikit-learn  file-upload  group-by  vim  junit  boost  deep-learning  import  sass  memory-management  error-handling  async-await  dynamic  eloquent  soap  silverlight  dependency-injection  charts  layout  apache-spark-sql  deployment  browser  gridview  svn  while-loop  google-bigquery  vuejs2  ffmpeg  dll  highcharts  view  foreach  plugins  makefile  c#-4.0  redis  reporting-services  jupyter-notebook  merge  server  unicode  https  reflection  google-maps-api-3  twitter  oauth-2.0  extjs  pytorch  axios  terminal  pip  split  mysqli  cmd  django-views  encoding  database-design  automation  collections  netbeans  hash  build  data-binding  ember.js  tcp  sqlalchemy  pdo  apache-flex  concurrency  entity-framework-core  command-line  spring-data-jpa  printing  java-8  react-redux  jestjs  service  html-table  neo4j  lua  ansible  parameters  module  material-ui  enums  visual-studio-2012  promise  flexbox  outlook  webview  firebase-authentication  web-applications  uwp  jquery-mobile  utf-8  datatable  python-requests  parallel-processing  drop-down-menu  colors  scroll  hive  tfs  scipy  count  syntax  ms-word  twitter-bootstrap-3  ssis  google-analytics  fonts  three.js  constructor  powerbi  rxjs  graphql  file-io  paypal  discord  cassandra  socket.io  graphics  compiler-errors  gwt  react-router  nlp  solr  url-rewriting  backbone.js  memory-leaks  datatables  oauth  datagridview  terraform  drupal  oracle11g  zend-framework  neural-network  knockout.js  triggers  django-forms  interface  google-api  angular-material  casting  jmeter  linked-list  path  proxy  timer  django-templates  arduino  orm  directory  visual-studio-2015  parse-platform  windows-phone-7  cron  push-notification  conditional-statements  primefaces  functional-programming  pagination  model  jar  xamarin.android  hyperlink  uiview  visual-studio-2013  gitlab  vbscript  google-cloud-functions  azure-active-directory  jwt  download  swift3  sql-server-2005  configuration  process  rspec  pygame  properties  combobox  callback  windows-phone-8  linux-kernel  safari  permissions  scrapy  raspberry-pi  scripting  emacs  clojure  x86  scope  io  compilation  mongodb-query  nhibernate  responsive-design  angularjs-directive  expo  request  azure-functions  bluetooth  3d  dns  binding  reference  discord.js  architecture  playframework  version-control  pyqt  doctrine-orm  package  pycharm  get  sql-server-2012  rubygems  f#  autocomplete  datepicker  openssl  kendo-ui  tree  jackson  controller  yii  grep  nested  xamarin.ios  static  dockerfile  statistics  transactions  datagrid  null  active-directory  uiviewcontroller  phpmyadmin  webforms  discord.py  notifications  sas  computer-vision  duplicates  mocking  youtube  nullpointerexception  yaml  menu  sum  bitmap  electron  asp.net-mvc-5  visual-studio-2008  time-series  blazor  yii2  jsf-2  css-selectors  stl  android-listview  floating-point  cryptography  ant  stream  hashmap  character-encoding  msbuild  sdk  asp.net-core-mvc  google-drive-api  selenium-chromedriver  jboss  joomla  navigation  cors  devise  anaconda  background  camera  multiprocessing  pyqt5  binary  frontend  cuda  linq-to-sql  iterator  mariadb  onclick  plotly  ios7  rabbitmq  android-jetpack-compose  android-asynctask  microsoft-graph-api  tabs  laravel-4  insert  uicollectionview  environment-variables  amazon-dynamodb  linker  console  xsd  coldfusion  upload  continuous-integration  ftp  textview  opengl-es  operating-system  vuejs3  mockito  localization  xml-parsing  macros  formatting  json.net  kivy  type-conversion  data.table  timestamp  calendar  integer  segmentation-fault  android-ndk  drag-and-drop  prolog  char  crash  jasmine  automated-tests  dependencies  geometry  android-gradle-plugin  itext  firebase-cloud-messaging  header  fortran  sprite-kit  mfc  attributes  nuxt.js  nosql  format  azure-pipelines  nestjs  odoo  jquery-plugins  db2  jenkins-pipeline  leaflet  event-handling  postman  flutter-layout  julia  annotations  keyboard  textbox  arm  visual-studio-2017  gulp  libgdx  stripe-payments  xampp  synchronization  crystal-reports  timezone  dom-events  azure-web-app-service  android-emulator  uikit  swagger  wso2  sequelize.js  namespaces  aggregation-framework  uiscrollview  jvm  google-sheets-formula  chart.js  com  subprocess  geolocation  webdriver  centos  html5-canvas  widget  dialog  garbage-collection  snowflake-cloud-data-platform  numbers  concatenation  sql-update  qml  set  windows-10  mapreduce  tuples  smtp  ionic2  java-stream  rotation  modal-dialog  spring-data  android-edittext  http-headers  doctrine  radio-button  nuget  grid  sonarqube  lucene  xmlhttprequest  internationalization  listbox  components  initialization  switch-statement  google-play  apache-camel  boolean  serial-port  ldap  ios5  youtube-api  return  gdb  pivot  eclipse-plugin  latex  frameworks  tags  containers  github-actions  dataset  asp-classic  subquery  foreign-keys  label  copy  uinavigationcontroller  c++17  delegates  google-cloud-storage  struts2  migration  base64  protractor  find  sql-server-2008-r2  queue  uibutton  embedded  arguments  composer-php  append  jaxb  zip  stack  cucumber  autolayout  ide  entity-framework-6  popup  iteration  airflow  windows-7  r-markdown  ssl-certificate  vb6  tailwind-css  gmail  hover  jqgrid  g++  udp         Next You’ll be prompted to create an account to view your personalized homepage.          (/)   Home    (/questions)   Questions    (/tags)    Tags     (/users)   Users    (https://stackoverflow.com/jobs/companies?so_medium=stackoverflow&so_source=SiteNav)   Companies    Labs      (/jobs?source=so-left-nav)   Jobs    (/beta/discussions)   Discussions    Collectives       Communities for your favorite technologies. (/collectives-all) Explore all Collectives     Teams () Ask questions, find answers and collaborate at work with Stack Overflow for Teams.  (https://stackoverflowteams.com/teams/create/free/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=side-bar&utm_content=explore-teams) Try Teams for free (https://stackoverflow.co/teams/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=side-bar&utm_content=explore-teams) Explore Teams   Teams      Ask questions, find answers and collaborate at work with Stack Overflow for Teams. (https://stackoverflow.co/teams/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=side-bar&utm_content=explore-teams-compact) Explore Teams          Collectives™ on Stack Overflow Find centralized, trusted content and collaborate around the technologies you use most. (/collectives) Learn more about Collectives     Teams  Q&A for work Connect and share knowledge within a single location that is structured and easy to search. (https://stackoverflow.co/teams/) Learn more about Teams             Get early access and see previews of new features. (https://stackoverflow.co/labs/)   Learn more about Labs   (https://cdn.sstatic.net/Sites/stackoverflow/Img/apple-touch-icon.png?v=c78bd457575a) (/questions/58930966/how-to-block-external-access-to-docker-container-linux-centos-7) how to block external access to docker container linux centos 7  (/questions/ask) Ask Question     (2019-11-19 09:46:45Z) Asked 5 years, 3 months ago  Modified (?lastactivity) (2023-10-01 20:31:58Z) 1 year, 5 months ago  (Viewed 2,443 times) Viewed 2k times         This question shows research effort; it is useful and clear  (70:3:31e,16:a363a1e8dbe35e36,10:1742104278,16:3c530901a156f330,8:58930966,b337bfd866c3fadef3b26e391e3c52584e2320d7720fae345eb72c68a7485b6e) 6  (This question does not show any research effort; it is unclear or not useful)    (70:3:31e,16:62efb9afb297df3f,10:1742104278,16:526b394b27ec7086,8:58930966,a41275d54f697169e41221d632f9cde06a3393f82e544cc669a1d4461fa964eb)      Save this question.  (/posts/58930966/timeline)    Show activity on this post.    I have a mongodb docker container I only want to have access to it from inside of my server, not out side. even I blocked the port 27017/tcp with firewall-cmd but it seems that docker is still available to public.
I am using linux centos 7
and docker-compose for setting up docker  (/questions/tagged/docker) (show questions tagged 'docker') docker  (/questions/tagged/docker-compose) (show questions tagged 'docker-compose') docker-compose  (/questions/tagged/centos7) (show questions tagged 'centos7') centos7      (/q/58930966) (Short permalink to this question) Share  Share a link to this question     Copy link (https://creativecommons.org/licenses/by-sa/4.0/) (The current license for this post: CC BY-SA 4.0) CC BY-SA 4.0     (/posts/58930966/edit) () Improve this question  Follow (70:3:31e,16:359dacb89619fb77,10:1742104278,16:6fb6976f6e199250,8:58930966,802470f2349dacd77b8314e104f4a7f3ce014287d7c46e70bd29f521e6456758)  Follow this question to receive notifications       asked (2019-11-19 09:46:45Z) Nov 19, 2019 at 9:46   (/users/10539792/ehsan-sarshar) (Ehsan Sarshar's user avatar)    (/users/10539792/ehsan-sarshar) Ehsan Sarshar Ehsan Sarshar (reputation score) 3,221 (1 gold badge)  1  1 gold badge (28 silver badges)  28  28 silver badges (46 bronze badges)  46  46 bronze badges           (Use comments to ask for more information or suggest improvements. Avoid answering questions in comments.) Add a comment |  (Expand to show all comments on this post)          4 Answers 4   Sorted by:  (/questions/58930966/how-to-block-external-access-to-docker-container-linux-centos-7?answertab=scoredesc#tab-top) Reset to default   (scoredesc) Highest score (default)  (trending) Trending (recent votes count more)  (modifieddesc) Date modified (newest first)  (createdasc) Date created (oldest first)            This answer is useful  (70:3:31e,16:0297f0308ff302fb,10:1742104278,16:120293f298830b5d,8:62329194,a94ab73406868a24ca1987376f01bef6ed2197ed1244bb04b302b808e40aa3cd) 3  (This answer is not useful)    (70:3:31e,16:9f1b4ac7c4280a8d,10:1742104278,16:9d811505726e9379,8:62329194,8e6d02bcbb0c6c9b551027ff31db703a0b2a43cf6c7e822bdd7dae0c91db0804)      Save this answer.  (Loading when this answer was accepted…)     (/posts/62329194/timeline)    Show activity on this post.    I resolved the same problem adding an iptables rule that blocks 27017 port on public interface (eth0) at the top of chain DOCKER:  iptables -I DOCKER 1 -i eth0 -p tcp --dport 27017 -j DROP  Set the rule after docker startup Another thing to do is to use non-default port for mongod, modify docker-compose.yml (remember to add --port=XXX in command directive) For better security I suggest to put your server behind an external firewall   (/a/62329194) (Short permalink to this answer) Share  Share a link to this answer     Copy link (https://creativecommons.org/licenses/by-sa/4.0/) (The current license for this post: CC BY-SA 4.0) CC BY-SA 4.0     (/posts/62329194/edit) () Improve this answer  Follow (70:3:31e,16:adba46670e063888,10:1742104278,16:f96c33522f0c11d6,8:62329194,f93016130234601cf0ed7cd788113db349d1c06c002d756016d214f569ad14b9)  Follow this answer to receive notifications       (/posts/62329194/revisions) (show all edits to this post) edited (2020-06-12 09:44:21Z) Jun 12, 2020 at 9:44         answered (2020-06-11 16:37:31Z) Jun 11, 2020 at 16:37   (/users/4622767/fra) (FRa's user avatar)    (/users/4622767/fra) FRa FRa (reputation score) 371 (4 silver badges)  4  4 silver badges (8 bronze badges)  8  8 bronze badges           (Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”.) Add a comment |  (Expand to show all comments on this post)             This answer is useful  (70:3:31e,16:73f5eae5bb1a4e1c,10:1742104278,16:1ca2bebfb3759a5d,8:58931543,6508d085318e2652af60453b08beb1efa0e5d8ff15cdcc6711e94e3fd70cf92d) 2  (This answer is not useful)    (70:3:31e,16:72c38cd5f662b913,10:1742104278,16:eee6979837df0d36,8:58931543,59607ef83ed65ed91edd6a6e273088f154e77ded7c3feaff41ab6217e23a0312)      Save this answer.  (Loading when this answer was accepted…)     (/posts/58931543/timeline)    Show activity on this post.    If you have your application in one container and MongoDb in other container what you need to do is to connect them together by using a network that is set to be internal. (https://docs.docker.com/compose/compose-file/compose-file-v2/) See Documentation : InternalBy default, Docker also connects a bridge network to it to provide
  external connectivity. If you want to create an externally isolated
  overlay network, you can set this option to true.  See also (https://devops.stackexchange.com/questions/4514/internal-network-between-container-docker-compose-with-outgoing-connection) this question  Here's the (https://docs.docker.com/network/network-tutorial-standalone/) tutorial on networking (not including internal but good for understanding) You may also limit traffic on MongoDb by Configuring (https://docs.mongodb.com/manual/tutorial/configure-linux-iptables-firewall/) Linux iptables Firewall for MongoDB  for creating private networks use some IPs from these ranges:10.0.0.0 – 10.255.255.255172.16.0.0 – 172.31.255.255192.168.0.0 – 192.168.255.255 more read on (https://en.wikipedia.org/wiki/Private_network) Wikipedia  You may connect a container to more than one network so typically an application container is connected to the outside world network (external) and internal network. The application communicates with database on internal network and returns some data to the client via external network. Database is connected only to the internal network so it is not seen from the outside (internet)   (/a/58931543) (Short permalink to this answer) Share  Share a link to this answer     Copy link (https://creativecommons.org/licenses/by-sa/4.0/) (The current license for this post: CC BY-SA 4.0) CC BY-SA 4.0     (/posts/58931543/edit) () Improve this answer  Follow (70:3:31e,16:24bea3b2e4d61175,10:1742104278,16:a9f7361430cba195,8:58931543,6666e9ff7dfcaae7002a31522d0fbe940584ffd8c3791bb2072a3f396c75bd3b)  Follow this answer to receive notifications       answered (2019-11-19 10:14:42Z) Nov 19, 2019 at 10:14   (/users/1174405/jimmix) (Jimmix's user avatar)    (/users/1174405/jimmix) Jimmix Jimmix (reputation score) 6,556 (7 gold badges)  7  7 gold badges (52 silver badges)  52  52 silver badges (91 bronze badges)  91  91 bronze badges        2   Centos7 not use iptables it use firewall-cmd instead – (/users/10539792/ehsan-sarshar) (3,221 reputation) Ehsan Sarshar  Commented (2019-11-19 14:28:31Z, License: CC BY-SA 4.0) Nov 19, 2019 at 14:28        @Ehsansarshar if you would like to follow MongoDB iptables firewal configuration page you can have iptables for Centos. (https://linuxize.com/post/how-to-install-iptables-on-centos-7/) See here  – (/users/1174405/jimmix) (6,556 reputation) Jimmix  Commented (2019-11-19 16:58:16Z, License: CC BY-SA 4.0) Nov 19, 2019 at 16:58        (Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”.) Add a comment |  (Expand to show all comments on this post)          This answer is useful  (70:3:31e,16:e8f37027a556893b,10:1742104278,16:438868f1711b7fdb,8:73459521,831a48833c6eed043b86db4b4521fa9530f75a27ee343f3f0895951a83b9bb3a) 1  (This answer is not useful)    (70:3:31e,16:8a74754b68cae0e1,10:1742104278,16:e5a8db8fe2a74dc7,8:73459521,b0c3eb55b57c8b60b080780ed2718072fc6467808d01a59cbf067df444dce6f4)      Save this answer.  (Loading when this answer was accepted…)     (/posts/73459521/timeline)    Show activity on this post.    I found a post here may help (https://roosbertl.blogspot.com/2019/06/securing-docker-ports-with-firewalld.html) Securing Docker Ports with Firewalld (CentOS7, etc) . Just post it here for people who need it in future. For security concerns, we need both hardware and OS firewalls to be enabled and properly configured. I found that firewall protection is ineffective for ports that are opened in a Docker container and listened on 0.0.0.0, even though the firewalld service was enabled at that time. My situation is : A server with Centos 7.9 and Docker version 20.10.17 installed A docker container was running with port 3000 opened on 0.0.0.0 The firewalld service had started with the command systemctl start firewalld  Only ports 22 should be allow access outside the server as the firewall configured.  It was expected that no one others could access port 3000 on that server, but the testing result was opposite. Port 3000 on that server was accessed successfully from any other servers. Thanks to the blog post, I have had my server under firewall protected. Quoted from the post : (https://roosbertl.blogspot.com/2019/06/securing-docker-ports-with-firewalld.html) Securing Docker Ports with Firewalld (CentOS7, etc)   Tested on CentOS7 with Docker-CE 18.09.6
Docker maintains IPTABLES chain "DOCKER-USER".
If you restart firewalld when docker is running, firewalld is removing the DOCKER-USER chain, so no Docker access is possible after this.
Docker adds a default rule to the DOCKER-USER chain which allows all IPs to access (possibly unsecure). We can achive secured Docker ports maintained by firewalld by letting firewalld create the DOCKER-USER chain, then apply iptables direct rules to secure the docker ports in this chain. When Docker is then started, it adds its allow-all rule to the bottom of our chain, but as we add a reject-all rule before, this rule is not in effect.    (/a/73459521) (Short permalink to this answer) Share  Share a link to this answer     Copy link (https://creativecommons.org/licenses/by-sa/4.0/) (The current license for this post: CC BY-SA 4.0) CC BY-SA 4.0     (/posts/73459521/edit) () Improve this answer  Follow (70:3:31e,16:113a9db6c258cac8,10:1742104278,16:ea804b1abf2994d7,8:73459521,f2ef9657f76e605c204e7f82ae78b8855a07434f468ed29bacb155895e1441ab)  Follow this answer to receive notifications       (/posts/73459521/revisions) (show all edits to this post) edited (2023-04-24 13:36:03Z) Apr 24, 2023 at 13:36         answered (2022-08-23 13:20:44Z) Aug 23, 2022 at 13:20   (/users/3598945/rong-l) (Rong.l's user avatar)    (/users/3598945/rong-l) Rong.l Rong.l (reputation score) 378 (2 silver badges)  2  2 silver badges (14 bronze badges)  14  14 bronze badges           (Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”.) Add a comment |  (Expand to show all comments on this post)             This answer is useful  (70:3:31e,16:7114b85152f981fa,10:1742104278,16:4de84f32efd7d903,8:77212234,1d22fb03238fdac2f9003157bd13dc56cd5448149b542e68fe50a0500e1bb494) -1  (This answer is not useful)    (70:3:31e,16:0e24887a08325f88,10:1742104278,16:37191365e7b8ff87,8:77212234,35dd08c78901e52f621b612dd0bd30a83a7e891329a3befeec0219d9e7baf5d1)      Save this answer.  (Loading when this answer was accepted…)     (/posts/77212234/timeline)    Show activity on this post.    Just run your docker like: sudo docker run --rm --detach -p 127.0 .0 .1 :9000:9000   There will be only internal localhost access, and not for the entire Internet.   (/a/77212234) (Short permalink to this answer) Share  Share a link to this answer     Copy link (https://creativecommons.org/licenses/by-sa/4.0/) (The current license for this post: CC BY-SA 4.0) CC BY-SA 4.0     (/posts/77212234/edit) () Improve this answer  Follow (70:3:31e,16:c7bd08aa5c1f5dec,10:1742104278,16:6d12c39997c3e156,8:77212234,1a5d933a19f776224059f0b1cf79724ca110f1f94e6237ba8d7ad0f4845e2257)  Follow this answer to receive notifications       answered (2023-10-01 20:31:58Z) Oct 1, 2023 at 20:31   (/users/12282542/kirill-parfenov) (Kirill Parfenov's user avatar)    (/users/12282542/kirill-parfenov) Kirill Parfenov Kirill Parfenov (reputation score) 653 (6 silver badges)  6  6 silver badges (9 bronze badges)  9  9 bronze badges           (Use comments to ask for more information or suggest improvements. Avoid comments like “+1” or “thanks”.) Add a comment |  (Expand to show all comments on this post)       (58930966) (false) () Your Answer  (True)                                                    Thanks for contributing an answer to Stack Overflow! Please be sure to answer the question . Provide details and share your research!  But avoid … Asking for help, clarification, or responding to other answers. Making statements based on opinion; back them up with references or personal experience.  To learn more, see our (/help/how-to-answer) tips on writing great answers .      Draft saved Draft discarded  (9b9d1ff1208457cf29de4d03e17fc06b55f301e0c5c48e7398c73e63b318268a)   Sign up or (/users/login?ssrc=question_page&returnurl=https%3a%2f%2fstackoverflow.com%2fquestions%2f58930966%2fhow-to-block-external-access-to-docker-container-linux-centos-7%23new-answer) log in       Sign up using Google     Sign up using Email and Password   (false) (false) Submit Post as a guest Name () ()    Email Required, but never shown   () ()       Post as a guest Name () ()     Email Required, but never shown   () ()       Post Your Answer  Discard  By clicking “Post Your Answer”, you agree to our (https://stackoverflow.com/legal/terms-of-service/public) terms of service and acknowledge you have read our (https://stackoverflow.com/legal/privacy-policy) privacy policy .(1)     Start asking to get answers Find the answer to your question by asking. (/questions/ask) Ask question   Explore related questions (/questions/tagged/docker) (show questions tagged 'docker') docker  (/questions/tagged/docker-compose) (show questions tagged 'docker-compose') docker-compose  (/questions/tagged/centos7) (show questions tagged 'centos7') centos7    See similar questions with these tags.      The Overflow Blog      (https://stackoverflow.blog/2025/03/14/can-climate-tech-startups-address-the-current-crisis/?cb=1) Can climate tech startups address the current crisis?       (https://stackoverflow.blog/2025/03/14/what-we-learned-at-tdx-2025/?cb=1) What we learned at TDX 2025   Featured on Meta  (Meta Stack Exchange)   (https://meta.stackexchange.com/questions/407321/community-asks-sprint-announcement-march-2025?cb=1) Community Asks Sprint Announcement - March 2025   (Meta Stack Exchange)   (https://meta.stackexchange.com/questions/407425/meta-stack-exchange-site-maintenance-scheduled-starting-monday-march-17-2025-f?cb=1) (Meta Stack Exchange site maintenance scheduled starting Monday, March 17, 2025 from 13:30 UTC to 14:30 UTC (9:30am to 10:30am ET)) Meta Stack Exchange site maintenance scheduled starting Monday, March 17,...   (Meta Stack Overflow)   (https://meta.stackoverflow.com/questions/432989/is-it-better-to-redirect-users-who-attempt-to-perform-actions-they-cant-yet-tak?cb=1) (Is it better to redirect users who attempt to perform actions they can't yet take?) Is it better to redirect users who attempt to perform actions they can't yet...   (Meta Stack Overflow)   (https://meta.stackoverflow.com/questions/433034/stacks-editor-development-and-testing?cb=1) Stacks Editor development and testing            Related (https://stackoverflow.com/q/29791770?rq=3) (Question score (upvotes - downvotes)) 1  (https://stackoverflow.com/questions/29791770/restricting-access-to-a-docker-container?rq=3) Restricting access to a Docker container  (https://stackoverflow.com/q/45635331?rq=3) (Question score (upvotes - downvotes)) 4  (https://stackoverflow.com/questions/45635331/docker-how-to-prevent-outgoing-traffic-from-a-dockers-network-using-docker-com?rq=3) Docker: How to prevent outgoing traffic from a docker's network using docker-compose and no iptables?  (https://stackoverflow.com/q/49442254?rq=3) (Question score (upvotes - downvotes)) 0  (https://stackoverflow.com/questions/49442254/blockade-for-docker-compose?rq=3) Blockade for docker-compose  (https://stackoverflow.com/q/50653696?rq=3) (Question score (upvotes - downvotes)) 3  (https://stackoverflow.com/questions/50653696/docker-compose-restrict-service-access-to-some-container-and-disable-access-fr?rq=3) Docker Compose - restrict service access to some container and disable access from outside docker  (https://stackoverflow.com/q/52704577?rq=3) (Question score (upvotes - downvotes)) 0  (https://stackoverflow.com/questions/52704577/how-with-iptables-to-block-access-to-docker-container-port-from-internet?rq=3) How , with iptables, to block access to docker container port from internet?  (https://stackoverflow.com/q/52812543?rq=3) (Question score (upvotes - downvotes)) 0  (https://stackoverflow.com/questions/52812543/how-to-restrict-access-from-internet-to-containers-ports-on-remote-linux-server?rq=3) How to restrict access from internet to containers ports on remote linux server?  (https://stackoverflow.com/q/54105432?rq=3) (Question score (upvotes - downvotes)) 2  (https://stackoverflow.com/questions/54105432/restrict-docker-container-internet-access?rq=3) Restrict docker container internet access  (https://stackoverflow.com/q/59730228?rq=3) (Question score (upvotes - downvotes)) 1  (https://stackoverflow.com/questions/59730228/how-can-i-configure-iptables-policies-with-docker-to-block-externals-ip?rq=3) How can i configure iptables policies with docker to block externals ip  (https://stackoverflow.com/q/63953333?rq=3) (Question score (upvotes - downvotes)) 2  (https://stackoverflow.com/questions/63953333/docker-restrict-container-network-access?rq=3) docker restrict container network access  (https://stackoverflow.com/q/69544970?rq=3) (Question score (upvotes - downvotes)) 2  (https://stackoverflow.com/questions/69544970/how-to-prevent-internet-access-in-docker-containers?rq=3) How to prevent internet access in Docker containers    (https://stackexchange.com/questions?tab=hot) Hot Network Questions   (Biblical Hermeneutics Stack Exchange)  (https://hermeneutics.stackexchange.com/questions/102269/what-cultural-practice-did-jesus-have-in-mind-when-he-said-that-the-gates-of-ha) What cultural practice did Jesus have in mind when he said that "the gates of Hades will not prevail" in Matthew 16:18?   (Physics Stack Exchange)  (https://physics.stackexchange.com/questions/845183/why-do-we-take-the-derivative-of-the-basis-vector-when-calcuating-the-accelerati) Why Do We Take the Derivative of the Basis Vector When Calcuating the Acceleration in Polar Coordinates?   (Home Improvement Stack Exchange)  (https://diy.stackexchange.com/questions/315818/can-i-use-tandem-breakers-to-make-room-in-a-full-panel-with-full-neutral-bus-bar) Can I use tandem breakers to make room in a full panel with full neutral bus bars?   (Physics Stack Exchange)  (https://physics.stackexchange.com/questions/845320/references-for-numerical-solutions-of-the-feynman-path-integral) References for Numerical Solutions of the Feynman Path Integral   (Physics Stack Exchange)  (https://physics.stackexchange.com/questions/845192/classically-radiating-black-holes-vs-quantum-mechanically-radiating-black-holes) Classically radiating black holes vs Quantum mechanically radiating black holes   (Travel Stack Exchange)  (https://travel.stackexchange.com/questions/193733/flying-from-germany-to-poland-and-back-without-schengen-visa) Flying from Germany to Poland and back without Schengen visa   (MathOverflow)  (https://mathoverflow.net/questions/489489/does-every-non-zero-finitely-generated-ring-have-a-proper-left-ideal-of-finite-i) Does every non-zero finitely generated ring have a proper left ideal of finite index?   (Aviation Stack Exchange)  (https://aviation.stackexchange.com/questions/108198/why-starting-a-jet-engine-is-unrecommended-in-tailwind-conditions) Why starting a jet engine is unrecommended in tailwind conditions   (TeX - LaTeX Stack Exchange)  (https://tex.stackexchange.com/questions/739028/how-to-draw-a-circle-inscribed-in-a-quadrangle-in-tikz) How to draw a circle inscribed in a quadrangle in TikZ   (Worldbuilding Stack Exchange)  (https://worldbuilding.stackexchange.com/questions/265292/how-would-a-society-with-no-wood-reliably-heat-itself) How would a society with no wood reliably heat itself?   (Worldbuilding Stack Exchange)  (https://worldbuilding.stackexchange.com/questions/265297/can-a-single-country-simultaneously-suffer-from-overpopulation-and-underpopulati) Can a single country simultaneously suffer from overpopulation and underpopulation?   (Electrical Engineering Stack Exchange)  (https://electronics.stackexchange.com/questions/741576/how-can-i-allow-power-from-wall-wart-or-usb-bus-or-both) How can I allow power from wall wart, or USB bus, or both?   (English Language Learners Stack Exchange)  (https://ell.stackexchange.com/questions/363162/what-does-i-could-use-me-mean) What does "I could use me." mean?   (MathOverflow)  (https://mathoverflow.net/questions/489464/how-to-make-this-system-ergodic) How to make this system ergodic?   (Personal Finance & Money Stack Exchange)  (https://money.stackexchange.com/questions/165530/could-ishares-ibonds-funds-buy-bonds-that-are-not-issued-yet-in-the-future) Could iShares iBonds funds buy bonds that are not issued yet in the future?   (Super User)  (https://superuser.com/questions/1886312/what-is-the-virtual-documents-directory-on-linux) What is the ".virtual_documents" directory on Linux?   (Travel Stack Exchange)  (https://travel.stackexchange.com/questions/193732/1-hour-20-minutes-enough-transfer-time-through-budapest-airport) 1 hour 20 minutes enough transfer time through Budapest Airport?   (Politics Stack Exchange)  (https://politics.stackexchange.com/questions/91027/is-it-exceptional-that-states-are-so-transparent-about-geopolitical-decisions-re) Is it exceptional that states are so transparent about geopolitical decisions regarding Ukraine?   (TeX - LaTeX Stack Exchange)  (https://tex.stackexchange.com/questions/739015/mathbb-not-working-when-using-pdflatex-acmart-declaresymbolfont-stmaryrd-an) \mathbb not working when using pdfLaTeX, acmart, DeclareSymbolFont, stmaryrd, and bbold in a specific order   (Music: Practice & Theory Stack Exchange)  (https://music.stackexchange.com/questions/139158/what-is-the-purpose-of-keeping-d-c-b-while-playing-the-bottom-d-on-this-score) what is the purpose of keeping D, C, B while playing the bottom D on this score?   (Role-playing Games Stack Exchange)  (https://rpg.stackexchange.com/questions/214979/can-an-action-surging-7-eldritch-knight-cast-two-cantrips-with-war-magic) Can an Action Surging 7+ Eldritch Knight cast two cantrips with War Magic?   (Mathematics Stack Exchange)  (https://math.stackexchange.com/questions/5045855/earliest-blow-up-time-for-a-first-order-pde) Earliest blow-up time for a first-order PDE   (Writing Stack Exchange)  (https://writing.stackexchange.com/questions/71037/site-to-format-a-novel-for-submission) Site to format a novel for submission?   (Travel Stack Exchange)  (https://travel.stackexchange.com/questions/193728/how-can-visa-officials-know-i-visa-shopped) How can visa officials know I ‘visa shopped’     (/feeds/question/58930966) (Feed of this question and its answers)   Question feed   Subscribe to RSS  Question feed To subscribe to this RSS feed, copy and paste this URL into your RSS reader.   (https://stackoverflow.com/feeds/question/58930966)            ()   lang-yaml    (https://stackoverflow.com)      (https://stackoverflow.com) Stack Overflow  (/questions) Questions  (/help) Help  (https://chat.stackoverflow.com/?tab=site&host=stackoverflow.com) Chat    (https://stackoverflow.co/) Products  (https://stackoverflow.co/teams/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=footer&utm_content=teams) Teams  (https://stackoverflow.co/advertising/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=footer&utm_content=advertising) Advertising  (https://stackoverflow.co/advertising/employer-branding/?utm_medium=referral&utm_source=stackoverflow-community&utm_campaign=footer&utm_content=talent) Talent    (https://stackoverflow.co/) Company  (https://stackoverflow.co/) About  (https://stackoverflow.co/company/press/) Press  (https://stackoverflow.co/company/work-here/) Work Here  (https://stackoverflow.com/legal) Legal  (https://stackoverflow.com/legal/privacy-policy) Privacy Policy  (https://stackoverflow.com/legal/terms-of-service/public) Terms of Service  (/contact) Contact Us  Your Privacy Choices     (https://stackoverflow.com/legal/cookie-policy) Cookie Policy    (https://stackexchange.com) Stack Exchange Network  (https://stackexchange.com/sites#technology) Technology   (https://stackexchange.com/sites#culturerecreation) Culture & recreation   (https://stackexchange.com/sites#lifearts) Life & arts   (https://stackexchange.com/sites#science) Science   (https://stackexchange.com/sites#professional) Professional   (https://stackexchange.com/sites#business) Business   (https://api.stackexchange.com/) API   (https://data.stackexchange.com/) Data       (https://stackoverflow.blog?blb=1) Blog  (https://www.facebook.com/officialstackoverflow/) Facebook  (https://twitter.com/stackoverflow) Twitter  (https://linkedin.com/company/stack-overflow) LinkedIn  (https://www.instagram.com/thestackoverflow) Instagram   Site design / logo © 2025 Stack Exchange Inc;  user contributions licensed under  (https://stackoverflow.com/help/licensing) CC BY-SA .  rev 2025.3.14.23880