I really liked your article, especially as I got bit the same way with exactly the same ELK stack :). But I think there are a few points that might need a bit of reconsidering.
The thing is that iptables itself "is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel". And which comes by default with, I think, all Linux distros. It is just an interface between the user and the kernel. If I am not mistaken UFW is the same. Allowing an easy interface for the user to configure rules.
Given that, Docker, indeed, is using iptables to make a few magic tricks with its networking, but it is explained here: docs.docker.com/network/iptables/ and a bit more here: docs.docker.com/config/containers/... and a few other scattered places in the docs. Nobody's docs are perfect :)
An improvement that I think you could do, and which helped me, is to add a rule to the DOCKER-USER chain to log and drop all packets. That way you are safe from future mistakes.
Another trick I did was to have my proxy, HAProxy in my case, run inside a container and I simply created a network between the proxy and the ELK stack. That way I no longer needed to map ports to the host anymore. Everything was contained inside the Docker network and from the host only ports 80 and 443 where allowed. Whenever I need to add a new service I just attach it to the HAProxy network and voila.
Hey, Kevin.
I really liked your article, especially as I got bit the same way with exactly the same ELK stack :). But I think there are a few points that might need a bit of reconsidering.
The thing is that iptables itself "is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel". And which comes by default with, I think, all Linux distros. It is just an interface between the user and the kernel. If I am not mistaken UFW is the same. Allowing an easy interface for the user to configure rules.
Given that, Docker, indeed, is using iptables to make a few magic tricks with its networking, but it is explained here: docs.docker.com/network/iptables/ and a bit more here: docs.docker.com/config/containers/... and a few other scattered places in the docs. Nobody's docs are perfect :)
An improvement that I think you could do, and which helped me, is to add a rule to the DOCKER-USER chain to log and drop all packets. That way you are safe from future mistakes.
Another trick I did was to have my proxy, HAProxy in my case, run inside a container and I simply created a network between the proxy and the ELK stack. That way I no longer needed to map ports to the host anymore. Everything was contained inside the Docker network and from the host only ports 80 and 443 where allowed. Whenever I need to add a new service I just attach it to the HAProxy network and voila.
Also, this option might help you:
--ip ip Default IP when binding container ports (default 0.0.0.0) - click for docs
You can configure it through
daemon.jsonlocated at/etc/docker/and it will always map host ports to the
127.0.0.1if you want.I hope it help. ;)