Information
By default, Docker containers can make connections to the outside world, but the outside
world cannot connect to containers. Each outgoing connection will appear to originate
from one of the host machine's own IP addresses. Only allow container services to be
contacted through a specific external interface on the host machine.If you have multiple network interfaces on your host machine, the container can accept
connections on the exposed ports on any network interface. This might not be desired and
may not be secured. Many a times a particular interface is exposed externally and services
such as intrusion detection, intrusion prevention, firewall, load balancing, etc. are run on
those interfaces to screen incoming public traffic. Hence, you should not accept incoming
connections on any interface. You should only allow incoming connections from a
particular external interface.
Solution
Bind the container port to a specific host interface on the desired host port.For example,docker run --detach --publish 10.2.3.4-49153-80 nginxIn the example above, the container port 80 is bound to the host port on 49153 and would
accept incoming connection only from 10.2.3.4 external interface.Impact-None.Default Value-By default, Docker exposes the container ports on 0.0.0.0, the wildcard IP address that
will match any possible incoming network interface on the host machine.