Hello to all! I have matured this question: How to restrict access to containers over the network?
Well, you have linux on which docker, also on this linux you have iptables which is completely closed from the whole world and open only for you, since you are paranoid. One fine day you put nginx docker run -it -p 80:80 nginx and voila, port 80 is open to the world, since port forwarding is performed from the nat table in iptables which is lower than the filter in which you have all the rules. What to do in this case? Drag and drop from the filter all that you have in nat? And how then to be with the dynamism of filling the table with a docker? And in general it is quite uncomfortable. Or maybe something I do not understand ...
