Try   HackMD
tags: Docker MySQL

MySQL Port public access closure without overriding docker iptable forwarding rules

This page is the reminder notes for me if someone setup the docker container of MySQL not correctly, you can't block it in multiple offical way in some reason, like if it is not done and follow by you, and it accident roar for it, there is bunch of sh*t already turns on and running, you don't have time to check it one by one but you need to block it or else the mySQL port will be publiclly accessable problem in the network restricted envoriment, then this guide will save your life.

Offical way to do so before the docker is up

Normal I would recommend you to do it in offically way by creating a network rules first before eveything, making rules is very important as if there are bunch of containers, you won't want to amended their network setting one by one if they are sharing some same network rules.

By doing so, first create a network allow to access the internet but expose the ports internally:

docker network create --subnet=172.19.0.0/16 internet

Adding this IPTable rules would be recommend also:

sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -j REJECT --reject-with icmp-port-unreachable
sudo iptables --insert DOCKER-USER -s 172.19.0.0/16 -m state --state RELATED,ESTABLISHED -j RETURN

Then create a rule which will block the internet access:

docker network create --internal --subnet 10.1.1.0/24 no-internet

After that, you can block the container internet access or allow it by rules, for example, to block one of the container's internet accessing:

docker network connect no-internet container-name

You may want to check out docker network for details as it is crazily useful and important when you setup the docker.

For more docker network related information:
https://docs.docker.com/network/

Quick way to block it

But sometimes there is one of them having problem, and you have tons of reason need to solve it immediantly, then you can do the below step some blocking the specific port.

Step 1: Find the contiainer ID of mysql

sudo docker ps

Step 2: Stop the docker container

sudo docker stop <container ID>

Matching the container ID by first 12 char with the folder

sudo ls /var/lib/docker/containers/
sudo vi /var/lib/docker/containers/{container_id}/hostconfig.json
.......
"PortBindings": {
    "3306/tcp": [
            {
            "HostIp": "",
            "HostPort": "3306"
            }
        ]
    },
.......

Amened the Host IP as

"HostIp": "127.0.0.1"

Then save the file and quit

Step 4: Restart Docker to clear Docker engine cache

sudo systemctl restart docker

Step 5: Restart the mySQL container

sudo docker start {container_id}