To secure your firewall, you want to "Deny all traffic" by default and only open some ports. You want to create an exemption for web portal on port 8000 so you open up that port. ADM defender will create rules like
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
...
ACCEPT all -- localhost anywhere 8000,8001
...
DROP all -- anywhere anywhere
Now, if you are running docker (a very useful feature), you might want to run a container that also listens on port 8000 (e.g. portainer). You'll run this in bridge mode with it bound to port 19800. Under the hood docker will create two nat rules for you
Code: Select all
DNAT tcp -- anywhere anywhere tcp dpt:19800 to:172.17.0.2:8000
Is there a way around this? Lots of containers like to use port 8000 and it would be nice to only open up the port the web portal on not the underlying container. Ideally, we can set the destination IP so that we can lock it down. I would like to create a VPN server on my NAS and open it up to the internet but I cannot control which docker containers are locked to just non-VPN LAN access.