Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container to host port mapping using 127.0.0.1:[host port] does not work correctly #634

Open
thinkbig1979 opened this issue Nov 30, 2023 · 3 comments
Open

Container to host port mapping using 127.0.0.1:[host port] does not work correctly #634

thinkbig1979 opened this issue Nov 30, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@thinkbig1979
Copy link

thinkbig1979 commented Nov 30, 2023
edited

A convenient way of preventing containers on a VPS from being unnecessarily exposed to the internet due to Docker's IPtables rules bypassing the system firewall, is that you can map the container port to 127.0.0.1:[host port] rather than just giving docker a host port number. The latter leads to it being mapped to 0.0.0.0.[host port], which is then exposed to the internet.

However, in Yacht, this does not seem to work correctly.
E.g. adding 127.0.0.1:8083 in the host port field results in the container being mapped to 32769 for some reason. See screenshots below.

Entering the port:
image

The resulting container running on the wrong port, and still exposed to the internet:
image

  • OS: Ubuntu on host machine
  • Browser: Firefox
  • Yacht Version: v0.0.7-alpha-2023-01-12--05
@thinkbig1979 thinkbig1979 added the bug Something isn't working label Nov 30, 2023
@wickedyoda
Copy link
Collaborator

You can't use 127.0.0.1

Because generally 127.0.0.1 refers to the windows loop back pointing back to the windows system not docker.

However when you put that in docker, and a container the container is running a mini os inside it's self. So technically it's if the container has 127.0.0.1, then it points to it's self, but it you use it then it's pointing back to what windows host. You have to remember you treat docker containers like they are other mini VMs on another network. Because they kinda are....

@thinkbig1979
Copy link
Author

Yes and no....

127.0.0.1 is indeed the IP address of the host's loopback interface, which is not exposed to the outside world.
0.0.0.0 is the host's IP address for ALL network interfaces, including whatever interface is exposed to the outside world.

When mapping ports from container to host, if you only provide a port number, then Docker automatically maps the container 's port to that port the host's 0.0.0.0 interface, meaning that your container port is directly exposed to all other interfaces, and therefore also to the outside world. This is a security concern.

However, it is possible with docker to map a container port to the host's loopback address only, by prepending the host port number with 127.0.0.1. This way the container's port is still available to anything on the host system, but is not exposed to the outside world.

It may not be nest practice, but it is a nifty way of keeping your services available on localhost, so you can easily access them for other services on that machine, while not exposing them to the internet.

Also, it's worth pointing out that this already works in Docker CLI, Docker Compose and Portainer.

@4val0v
Copy link

4val0v commented May 5, 2024

Similar problem, used to use this solution before: https://stackoverflow.com/a/46220742
But with Yacht it cannot be done (

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@4val0v @thinkbig1979 @wickedyoda