Astonishingly, Docker does not do the job out of the box with Linux’s “Universal Firewall,” or UFW. They both modify the very same iptables configuration, and this can direct to misconfigurations exposing containers that weren’t intended to be general public. Here’s how to fix it.
Why Doesn’t Docker Function With UFW?
UFW is intended to be a really uncomplicated firewall. The trouble is that both UFW and Docker consider to modify the exact same underlying firewall policies, and this conflict demands additional set up to kind out if you want to operate UFW and Docker collectively.
If you set up a standard UFW firewall to deny by default and allow for HTTP and SSH, this will show up secure—but it will not block Docker from starting containers sure to other ports. This problem can be challenging to capture, as UFW and Docker are individual techniques. UFW is unknowingly lying to you and will not show open ports from Docker containers.
This can be a significant challenge if you really don’t capture it. For case in point, most likely you required to run an inside admin panel on port 8000, and whitelist it to your possess IP address. Whilst this is not the most safe set up to start off with, it is typically alright, specially if the panel has extra authentication.
However, UFW will demonstrate the firewall rule as thoroughly whitelisted, and it will of course be seen to you from your whitelisted site. But, if it is run via Docker, it will be obvious on port 8000 from anywhere by default.
Correcting Docker’s Config
There is a solution Docker delivers, by modifying
/etc/docker/daemon.json and simply turning off Docker’s
iptables functionality altogether:
This performs, on the other hand, this is only a 50 % resolution. It disables Docker’s ability to regulate its own networking and can lead to containers to not be in a position to obtain the world wide web at all out of the box. This can still operate, but you are going to require to manually maintain
iptables rules for Docker containers and personalized networks, which is difficult, aggravating, and defeats the function of UFW’s simplicity.
The actual remedy is complex, but luckily is common sufficient that there is a practical Github repo detailing the problem and the methods to repair it. Primarily, you need to modify UFW’s config at
/and so forth/ufw/right after.principles to insert the subsequent block at the conclusion:
# Start out UFW AND DOCKER *filter :ufw-consumer-ahead - [0:0] :ufw-docker-logging-deny - [0:0] :DOCKER-Person - [0:0] -A DOCKER-User -j ufw-consumer-forward -A DOCKER-Consumer -j RETURN -s 10.../8 -A DOCKER-Person -j RETURN -s 172.16../12 -A DOCKER-Consumer -j RETURN -s 192.168../16 -A DOCKER-Consumer -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN -A DOCKER-User -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168../16 -A DOCKER-User -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.../8 -A DOCKER-Person -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16../12 -A DOCKER-User -j ufw-docker-logging-deny -p udp -m udp --dport :32767 -d 192.168../16 -A DOCKER-Consumer -j ufw-docker-logging-deny -p udp -m udp --dport :32767 -d 10.../8 -A DOCKER-Person -j ufw-docker-logging-deny -p udp -m udp --dport :32767 -d 172.16../12 -A DOCKER-Person -j RETURN -A ufw-docker-logging-deny -m limit --restrict 3/min --restrict-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " -A ufw-docker-logging-deny -j Drop Dedicate # Conclusion UFW AND DOCKER
You can do that manually, but there is a wonderful utility also presented in this repo that will automate it, and supply some useful commands for examining the authentic firewall standing. You can download it from this repo:
sudo wget -O /usr/area/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/grasp/ufw-docker sudo chmod +x /usr/neighborhood/bin/ufw-docker
Then, set up the config, and restart UFW.
ufw-docker install sudo systemctl restart ufw
At the time restarted, the modifications need to apply quickly, but if they do not, you may need to restart Docker or your machine in common. When it is enabled, the ports should all be thoroughly blocked.
Whitelisting Docker Container Ports With UFW
This solution does need you to configure the port a small in different ways. The
ufw-docker utility has a command that will selectively whitelist ports to unique Docker containers.
ufw-docker make it possible for httpd 80
Having said that, if you want to use a far more superior rule, such as IP centered whitelisting, you are going to have to use
ufw route allow for
ufw route enable proto tcp from 220.127.116.11 to any port 9443