So apparently Docker exposes all the forwarded ports on *all* the interfaces, making all running containers available to the entire internet BY DEFAULT.
I have a question:
WHY???

There's a difference between 'expose' and 'publish/ports'

Perhaps try a docker network and expose? 🤔

@alexbrooklyn wut?

@endor expose exposes a port to a docker network, so only other containers can access it. Using -p or 'ports' exposes them publicly

Or am I confusing your rant with something else?

So blissful not knowing what the fuck You guys are talking about. Have at it.

@alexbrooklyn oh, that - yeah, I was talking about the -p parameter. Wouldn't it be a safer (and saner) default to only expose on localhost, and only optionally on 0.0.0.0 (or any other interface), rather than the other way around?

I'm just starting out with docker, and I can't figure out for the life of me why would anyone consider that a reasonable default - especially for containers running on servers, which might accidentally expose sensitive applications to the internet.

(Also, I'm really annoyed that it overwrote my iptables-save file - lucky me I always keep backups)

@grumpyoldaf you're not missing out on much tbh

Yes docker has its own iptables config, I usually use a firewall on my hosting panel instead of iptables to protect my servers

I also find it weird that 'expose' means opening a port on a container in an internal network while 'port' is for opening a port on the host, they seem to be the opposite of what they are named after

There are probably reasons for the iptables override, but I hope that you now see the difference between port and expose 😉

@alexbrooklyn yeah, I'm reading about these things right now. I'm setting up networking the way *I* want it before I run any container at all - stuff like this is exactly why.

I just wish I didn't have to be this paranoid about safe network settings every time I add something new.

Fortunately there's a switch to disable the iptables override

(Also, my VPS has no firewall settings in the hosting panel, so it's iptables or nothing - and tbh I'm ok with that, at least I have more advanced control over the settings, rather than being limited by an interface)

U don't read docs naa? docker run -p 127.0.0.1:80:8080/tcp ubuntu bash only publishes to localhost
Src: https://docs.docker.com/engine/...

@Minion yes, I read that. Did you read my comments? My point is, the default behaviour of "-p 80:80" should be to publish on localhost only, and it should require extra details to publish on all interfaces (ie "-p 0.0.0.0:80:80").

That way, there's an additional safety net to prevent apps from being exposed to the internet with no protection - which should be necessary, given how blatantly Docker overrides all previous iptables settings by adding its own rules on top.