Issue insulating docker containers

Question

I have a question, I have the following iptables config:

[root@nd01 ~]# iptables -L INPUT --line-numbers -n
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  my_local_ip/32         0.0.0.0/0           
3    INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
4    INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
5    INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
6    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
7    REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

however, if I telnet to this machine from a random, let's say for example this was from a DNS server to this server, I can still get through.

[root@ns1 ~]# telnet server.com 3306
Trying server.com...
Connected to server.com.
Escape character is '^]'.
X
5.5.5-10.2.8-MariaDB    =wbeV^Th???3`kw6F=@geHtmysql_native_password
^C
Connection closed by foreign host.
[root@ns1 ~]# 

port 3306 is bind from a docker container to the host machine using the '-p 3306:3306' flag.

Why is this? I have a feeling all servers I have with docker installed via dockers' sh script are all open, bc I just recently found out that this installation breaks firewalld completely.

Answer 1

You can get through because you specifically EXPOSEd that port to the Internet using docker run -p.

Docker creates the necessary iptables rules (which are not in the INPUT chain, so looking there is pointless) to cause this traffic to reach your container.

You MUST NOT expose ports which you do not want reachable from outside the host.

To create a setup with multiple containers that talk to each other privately, use docker-compose.