Can access self-hosted Portainer website from internet trying to lock server down without any luck

Question

I'm new to Docker & Portainer and I'm trying to lock it down from public access where it's not needed.

My setup:

Windows 2022 Server running Hyper-V (host)
Ubuntu 22.04 Workstation (virtual machine)
Docker (latest)
Portainer (port 9000)
MySQL (latest)

I am using Ubuntu Workstation 22.04 running with a public ip. I'm in through ssh and have Docker, Portainer and MySQL installed. I was testing portainer to see if I could access it from outside my computer and apparently I can, from anywhere.

Ubuntu Ip: *.*.*.219
My Ip:  *.*.*.84
Portainer Url:  http://*.*.*.219:9000

I checked ufw and didn't see anything wrong with it. I even went as far as blocking port 9000 directly but I can still access the Portainer website.

# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] Anywhere                   ALLOW IN    *.*.*.84            
[ 2] 80                         ALLOW IN    Anywhere                  
[ 3] 443                        ALLOW IN    Anywhere                  
[ 4] 9000                       ALLOW IN    *.*.*.84            
[ 5] 9000                       DENY IN     Anywhere                  
[ 6] 9000 (v6)                  DENY IN     Anywhere (v6) 

I installed Portainer per the instructions on their website and I've had no issues with it. I can access Portainer from any computer on the internet. I need to isolate it to only my ip.

What do I need to do to find out why my firewall isn't working for me?

ADDITIONAL INFO

iptables-save

iptables -L -nv --line-numbers

iptables -L -t nat -nv --line-numbers

Answer 1

ufw by default does not show iptables rules. I suggest you always work with iptables directly and not via ufw. Can you please do:

iptables -S

and

iptables -t nat -S 

and post the output minus the any identifying addresses.

Below is based on a standard install and what rules would be needed to lock down a external facing server. Once I have the info for your setup I can adjust what is needed.

I am assumning that docker has given your container the ip 172.17.42.1 adjust the address as per your setup.

Save the below to a file: eg iprules.v4

iptables -I INPUT -s *.*.*.84 -j ACCEPT
iptables -t nat -I PREROUTING -s *.*.*.84 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.42.1:9000
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT  *** this is just incase you need ssh from somewhere, and also as a backup until you confirmed the rules are right as you are accessing it remotely. 
iptables -P INPUT drop

then run:

 iptables-restore < iprules.v4

I would then disable ufw, otherwise ufw may override the iptables if the rules are reloaded.