I just spent an hour going down the wrong rabbit hole because of some misleading documentation, so I thought I'd post this here in hopes of helping others.
If you have multiple nodes, and you're trying to put your cluster behind a proxy, these are probably the network settings you want:
network.host: _local_
transport.host: _eth0_ #or wherever all the nodes can see each other
This will give you the desired effect of having 9200/9300 only accessible from localhost while still allowing nodes to find and talk to each other.
The docs led me to believe that network.bind_host and network.publish_host were the way to accomplish this. The docs state: "The network.host setting explained in Commonly used network settings is a shortcut which sets the bind host and the publish host at the same time. In advanced used cases, such as when running behind a proxy server, you may need to set these settings to different values"
The reality is that Elasticsearch will only bind to the interfaces set in network.bind_host no matter what you set network.publish_host to. I was trying a bind_host of local and publish_host of eth0, but I could see that ES was still only listening on the local interface.
I hope this saves someone some time someday. In my Googling, I found others confused about the same issue but no great explanation of the right way. Maybe the docs could clarify this. I haven't figured out the use case where splitting bind_host and publish_host is useful, but apparently not for a typical proxy setup. 
(I could be missing something, if so, someone please set me straight!)