I run a Jenkins container instance on our server with this command:

docker run --name jenkins --restart=on-failure -d \
  --network jenkins --env DOCKER_HOST=tcp://docker:2376 \
  --env DOCKER_CERT_PATH=/jenkincerts/client --env DOCKER_TLS_VERIFY=1 \
  -p 8180:8080 -p 50000:50000 \
  -v jenkins-home:/var/jenkins_home \
  -v docker-certs-jk:/jenkincerts/client:ro \
  myjenkin

But I find that port 8180 is exposed to the world, so I do research and find a solution to add a iptables rule with the command:

iptables -I DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP

The result is that port is closed, but my Jenkins instance cannot access the internet to download...

Can anyone help me to close exposing ports to the world, but my Jenkins can still access the internet?

CodePudding user response：

From https://docs.docker.com/engine/reference/commandline/run/ :

docker run -p 127.0.0.1:80:8080/tcp ubuntu bash

This binds port 8080 of the container to TCP port 80 on 127.0.0.1 [...]

Note that ports which are not bound to the host (i.e., -p 80:80 instead of -p 127.0.0.1:80:80) will be accessible from the outside. This also applies if you configured UFW to block this specific port, as Docker manages its own iptables rules. Read more

From, well "read more" link https://docs.docker.com/network/iptables/ :

By default, the Docker daemon will expose ports on the 0.0.0.0 address, i.e. any address on the host. If you want to change that behavior to only expose ports on an internal IP address, you can use the --ip option to specify a different IP address. However, setting --ip only changes the default, it does not restrict services to that IP.

If you want docker to listen only on localhost, do -p 127.0.0.1:8180:8080.