Allow Host exposed Ports not container ports

[domx4q]

Hello,

Is there a way to allow the exposed ports insteed of the container ports? I know, I could just allow the specific port on a specific IP. But I have multiple containers with the same port inside and I need to expose them, but then there is overlapping. I've added a rule to allow every container port on the tailscale network, because this is a private and secure network, so I can easily access every service. But on the public network, I only want to allow some ports. (The tailscale network behaves like a normal netweork interface, so it can be easily seperated. The Problem is the overlapping of some ports, which are differently exposed, but same on the container.

[vodasams57]

From a user perspective, I totally agree.

Unfortunately, this is difficult. Docker applies NAT PREROUTING rules first, whereby the destination port in the IP frame is changed. The ufw-docker rules are applied in the FORWARD chain, namely DOCKER-USER. At this of time the ports already have been altered and the original port is not available anymore.

One option might be to use conntrack's feature "--ctorigdstport", because the conntrack table allows a stateful firewall.

In general: if you are aiming for a proper solution, put a dedicated firewall before the server. Separating the docker server and the firewall makes sense from a security perspective.