diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml
index e24dcc21a..e2ec07d32 100644
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -6,94 +6,103 @@ docker:
   containers:
     'so-dockerregistry':
       final_octet: 20
-      ports:
-        5000: tcp
+      port_bindings:
+        - 0.0.0.0:5000:5000
     'so-elastic-fleet':
       final_octet: 21
-      ports:
-        8220: tcp
+      port_bindings:
+        - 0.0.0.0:8220:8220/tcp
     'so-elasticsearch':
       final_octet: 22
-      ports:
-        9200: tcp
-        9300: tcp
+      port_bindings:
+        - 0.0.0.0:9200:9200/tcp
+        - 0.0.0.0:9300:9300/tcp
     'so-filebeat':
       final_octet: 23
-      ports:
-        514: udp
-        5066: tcp
+      port_bindings:
+        - 0.0.0.0:514:514/udp
+        - 0.0.0.0:514:514/tcp
+        - 0.0.0.0:5066:5066/tcp
     'so-grafana':
       final_octet: 24
-      ports:
-        3000: tcp
+      port_bindings:
+        - 0.0.0.0:3000:3000
     'so-idstools':
       final_octet: 25
     'so-influxdb':
       final_octet: 26
-      ports:
-        8086: tcp
+      port_bindings:
+        - 0.0.0.0:8086:8086
     'so-kibana':
       final_octet: 27
-      ports:
-        5601: tcp
+      port_bindings:
+        - 0.0.0.0:5601:5601
     'so-kratos':
       final_octet: 28
-      ports:
-        4433: tcp
-        4434: tcp
+      port_bindings:
+        - 0.0.0.0:4433:4433
+        - 0.0.0.0:4434:4434
     'so-logstash':
       final_octet: 29
-      ports:
-        3765: tcp
-        5044: tcp
-        5055: tcp
-        5644: tcp
-        6050: tcp
-        6051: tcp
-        6052: tcp
-        6053: tcp
-        9600: tcp
+      port_bindings:
+        - 0.0.0.0:3765:3765
+        - 0.0.0.0:5044:5044
+        - 0.0.0.0:5055:5055
+        - 0.0.0.0:5644:5644
+        - 0.0.0.0:6050:6050
+        - 0.0.0.0:6051:6051
+        - 0.0.0.0:6052:6052
+        - 0.0.0.0:6053:6053
+        - 0.0.0.0:9600:9600
     'so-mysql':
       final_octet: 30
-      ports:
-        3306: tcp
+      port_bindings:
+        - 0.0.0.0:3306:3306
     'so-nginx':
       final_octet: 31
-      ports:
-        80: tcp
-        443: tcp
+      port_bindings:
+        - 80:80
+        - 443:443
     'so-playbook':
       final_octet: 32
+      port_bindings:
+        - 0.0.0.0:3200:3000
     'so-redis':
       final_octet: 33
-      ports:
-        6379: tcp
-        9696: tcp
+      port_bindings:
+        - 0.0.0.0:6379:6379
+        - 0.0.0.0:9696:9696
     'so-soc':
       final_octet: 34
-      ports:
-        9822: tcp
+      port_bindings:
+        - 0.0.0.0:9822:9822
     'so-soctopus':
       final_octet: 35
-      ports:
-        7000: tcp
+      port_bindings:
+        - 0.0.0.0:7000:7000
     'so-strelka-backend':
       final_octet: 36
     'so-strelka-filestream':
       final_octet: 37
     'so-strelka-frontend':
       final_octet: 38
+      port_bindings:
+        - 0.0.0.0:57314:57314
     'so-strelka-manager':
       final_octet: 39
     'so-strelka-gatekeeper':
       final_octet: 40
+      port_bindings:
+        - 0.0.0.0:6381:6379
     'so-strelka-coordinator':
       final_octet: 41
+      port_bindings:
+        - 0.0.0.0:6380:6379
     'so-elastalert':
       final_octet: 42
     'so-curator':
       final_octet: 43
     'so-elastic-fleet-package-registry':
       final_octet: 44
-      ports:
-        8080: tcp
+      port_bindings:
+        - 0.0.0.0:8080:8080/tcp
diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja
index b1d884cd1..b9773d448 100644
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -2,6 +2,46 @@
 {% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
 {% from 'firewall/map.jinja' import hostgroups with context -%}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
+{%- set PR = [] %}
+{%- set D1 = [] %}
+{%- set D2 = [] %}
+{%- for container in NODE_CONTAINERS %}
+{%-   set IP = DOCKER.containers[container].ip %}
+{%-   if DOCKER.containers[container].port_bindings is defined %}
+{%-     for binding in DOCKER.containers[container].port_bindings %}
+{#-       cant split int so we convert to string #}
+{%-       set binding = binding|string %}
+{#-          split the port binding by /. if proto not specified, default is tcp #}
+{%-         set binding_split = binding.split('/') %}
+{%-         if binding_split | length > 1 %}
+{%-           set proto = binding_split[1] %}
+{%-         else %}
+{%-           set proto = 'tcp' %}
+{%-         endif %}
+{%-         set bsa = binding_split[0].split(':') %}
+{%-         set bindip = '' %}
+{%-         set hostPort = '' %}
+{%-         set containerPort = '' %}
+{%-         if bsa | length == 3 %}
+{%-           set bindip = bsa[0] %}
+{%-           set hostPort = bsa[1] %}
+{%-           set containerPort = bsa[2] %}
+{%-         endif %}
+{%-         if bsa | length == 2 %}
+{%-           set hostPort = bsa[0] %}
+{%-           set containerPort = bsa[1] %}
+{%-         endif %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         if bindip | length and bindip != '0.0.0.0' %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-         else %}
+{%-           do D1.append("-A DOCKER ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-         endif %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sosbridge -o sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-     endfor %}
+{%-   endif %}
+{%- endfor %}
+
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
@@ -11,20 +51,12 @@
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE
-{%- for container in NODE_CONTAINERS %}
-{%-   if DOCKER.containers[container].ports is defined %}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
--A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE
-{%-     endfor %}
-{%-   endif %}
+{%- for rule in PR %}
+{{ rule }}
 {%- endfor %}
 -A DOCKER -i sosbridge -j RETURN
-{%- for container in NODE_CONTAINERS %}
-{%-   if DOCKER.containers[container].ports is defined %}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
--A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}}
-{%-     endfor %}
-{%-   endif %}
+{%- for rule in D1 %}
+{{ rule }}
 {%- endfor %}
 
 COMMIT
@@ -71,12 +103,8 @@ COMMIT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
 
-{%- for container in NODE_CONTAINERS %}
-{%-   if DOCKER.containers[container].ports is defined %}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
--A DOCKER -d {{DOCKER.containers[container].ip}}/32 ! -i sosbridge -o sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
-{%-     endfor %}
-{%-   endif %}
+{%- for rule in D2 %}
+{{ rule }}
 {%- endfor %}
 
 -A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2