So after “fixing” docker, which ultimately broke something within one of my containers, the docker devs reverted the behaviour and I was able to undo all the changes I had made, and everything worked the way I was used to.
Until Docker 1.6. Typically, I only discover that things have changed when I receive an alert from some “helpful” idiots sent via my host’s abuse address that I have an exposed service (Stop scanning my server goddamnit). They’re just trying to help I guess, but it really gets my goat to receive alerts in this manner.
Docker again exposes the containers to the world by default. Although this time I wanted to fix the problem without fundamentally breaking things. The issue is that each container has its own internal IP address, which is automatically NATted from outside. The ‘ufw’ script doesn’t handle this, it only works on the INPUT iptables chain, so even if you specifically block a port, the containers will still receive the traffic, as they use the FORWARD chain. Rather than messing about with iptables, I changed how I run my containers. Instead of mapping ports via the standard
-p hostport:containerport method, I changed them to map via the
-p ipaddress:hostport:containerport method, with the ip address being localhost. Problem solved, and very simply.