Firewall rules to prevent access to container ports


I’m a little unsure how to block external IPs from accessing the running Docker containers on my ShinyProxy host. ShinyProxy does expose the ports to and I’m not really sure why/if that’s needed.

My naïve understanding from reading the Docker documentation on that topic is that adding a

iptables -I DOCKER-USER -i ext_if -j DROP

should do the trick. But I fear, I might break ShinyProxy in some subtle ways, I didn’t think about.

Most tutorials I found use UFW but that actually doesn’t play well with Docker, so I’d like to avoid using UFW.

From what I understand now

iptables -I DOCKER-USER -i ext_if -j DROP
iptables -I DOCKER-USER -i ext_if -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

should actually do the trick to allow needed connections that are established from within the container e.g. DB connections etc.