How To Use Docker with a UFW Firewall

How To Use Docker with a UFW Firewall


Astonishingly, Docker does not do the job out of the box with Linux’s “Universal Firewall,” or UFW. They both modify the very same iptables configuration, and this can direct to misconfigurations exposing containers that weren’t intended to be general public. Here’s how to fix it.

Why Doesn’t Docker Function With UFW?

UFW is intended to be a really uncomplicated firewall. The trouble is that both UFW and Docker consider to modify the exact same underlying firewall policies, and this conflict demands additional set up to kind out if you want to operate UFW and Docker collectively.

If you set up a standard UFW firewall to deny by default and allow for HTTP and SSH, this will show up secure—but it will not block Docker from starting containers sure to other ports. This problem can be challenging to capture, as UFW and Docker are individual techniques. UFW is unknowingly lying to you and will not show open ports from Docker containers.

This can be a significant challenge if you really don’t capture it. For case in point, most likely you required to run an inside admin panel on port 8000, and whitelist it to your possess IP address. Whilst this is not the most safe set up to start off with, it is typically alright, specially if the panel has extra authentication.

However, UFW will demonstrate the firewall rule as thoroughly whitelisted, and it will of course be seen to you from your whitelisted site. But, if it is run via Docker, it will be obvious on port 8000 from anywhere by default.

Correcting Docker’s Config

There is a solution Docker delivers, by modifying /etc/default/docker or /etc/docker/daemon.json and simply turning off Docker’s iptables functionality altogether:


This performs, on the other hand, this is only a 50 % resolution. It disables Docker’s ability to regulate its own networking and can lead to containers to not be in a position to obtain the world wide web at all out of the box. This can still operate, but you are going to require to manually maintain iptables rules for Docker containers and personalized networks, which is difficult, aggravating, and defeats the function of UFW’s simplicity.

The actual remedy is complex, but luckily is common sufficient that there is a practical Github repo detailing the problem and the methods to repair it. Primarily, you need to modify UFW’s config at /and so forth/ufw/right after.principles to insert the subsequent block at the conclusion:

# Start out UFW AND DOCKER
:ufw-consumer-ahead - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-Person - [0:0]
-A DOCKER-User -j ufw-consumer-forward

-A DOCKER-Consumer -j RETURN -s 10.../8
-A DOCKER-Person -j RETURN -s 172.16../12
-A DOCKER-Consumer -j RETURN -s 192.168../16

-A DOCKER-Consumer -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-User -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168../16
-A DOCKER-User -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.../8
-A DOCKER-Person -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16../12
-A DOCKER-User -j ufw-docker-logging-deny -p udp -m udp --dport :32767 -d 192.168../16
-A DOCKER-Consumer -j ufw-docker-logging-deny -p udp -m udp --dport :32767 -d 10.../8
-A DOCKER-Person -j ufw-docker-logging-deny -p udp -m udp --dport :32767 -d 172.16../12


-A ufw-docker-logging-deny -m limit --restrict 3/min --restrict-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j Drop

# Conclusion UFW AND DOCKER

You can do that manually, but there is a wonderful utility also presented in this repo that will automate it, and supply some useful commands for examining the authentic firewall standing. You can download it from this repo:

sudo wget -O /usr/area/bin/ufw-docker

sudo chmod +x /usr/neighborhood/bin/ufw-docker

Then, set up the config, and restart UFW.

ufw-docker install

sudo systemctl restart ufw

At the time restarted, the modifications need to apply quickly, but if they do not, you may need to restart Docker or your machine in common. When it is enabled, the ports should all be thoroughly blocked.

Whitelisting Docker Container Ports With UFW

This solution does need you to configure the port a small in different ways. The ufw-docker utility has a command that will selectively whitelist ports to unique Docker containers.

ufw-docker make it possible for httpd 80

Having said that, if you want to use a far more superior rule, such as IP centered whitelisting, you are going to have to use ufw route allow for

ufw route enable proto tcp from to any port 9443

Share this post

Similar Posts