- 22 is needed by docker-machine only during setup, from the server container, to SSH to the host and install docker/start the rancher agent.
- 2376 is not needed at all, but docker-machine insists on adding it
- 500 and 4500/udp are only needed between hosts in the environment.
So none of those actually have to be open to the internet.
Hosts communicate with each other using the public IP they are registered with (which shows up in the UI on each host). IF all the hosts in a single environment can reach each other with their private IPs then you can register them with those instead (https://docs.rancher.com/rancher/v1.5/en/faqs/agents/#how-does-the-host-determine-ip-address-and-how-can-i-change-it-what-do-i-do-if-the-ip-of-my-host-has-changed-due-to-reboot).
The agent opens the connection to the server for management. The server does not need to be able to directly reach the registered IP of the host.
You can (and should) set the host registration URL in settings to a hostname.