ufw

Docker ignores ufw with the default settings

Bug #1717648 reported by Kayvan Sylvan on 2017-09-16

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	ufw	Won't Fix	Wishlist	Unassigned

Bug Description

$ sudo ufw --version
ufw 0.35
Copyright 2008-2015 Canonical Ltd.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.1 (stretch)
Release: 9.1
Codename: stretch

The issue is described fully here: https://github.com/moby/moby/issues/4737

In a nutshell, Docker sets up tables and rules in the DOCKER table and FORWARD table to facilitate routing to containers. This effectively bypasses `ufw` rules if, for example, you have an nginx container running on your machine and trying to stop bots from scanning your website by running `ufw` commands to deny that traffic.

I'm asking if you can make some modification to `ufw` to be aware of Docker's setup and work with it?

As you can tell from the github issue referenced above, on the Docker side, this has remained a problem for a few years. I'm hoping that maybe the `ufw` folks can address it in a way that you can run Docker in its standard configuration, and have `ufw` put its rules at the beginning of the queue of rules that Docker uses.

Thanks!

Tags:

Funky Future (funky-future) on 2018-03-04

summary:

- ufw and Docker do not work well together
+ Docker ignores ufw with the default settings

Revision history for this message

Pavel Savchenko (asfaltboy) wrote on 2018-04-17:

The workaround I use, while a bit fragile, is like so:

1. disable docker's iptables updates by adding this to /etc/docker/daemon.json: {"iptables": false}

2. change DEFAULT_FORWARD_POLICY to "ACCEPT" in /etc/default/ufw

3. finally, add the following lines at the top of /etc/ufw/before.rules:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
COMMIT

Where 172.17.0.0 is my docker0 interface's network.

Of course I don't know what happens on next docker or ufw update, or whether there's a better way to make ufw aware of those DOCKER chains.
What I know for sure is that adding `ufw deny in on docker0` has no effect, which is odd.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2018-04-17:

/etc/ufw/before.rules is a Debian conffile so you will be prompted on upgrade if there is a shipped ufw change (this file doesn't change often, so must ufw upgrades will not prompt). Modifying the before/after files and chains is the way to let ufw deal with other applications that manipulate the firewall (that's one of the reasons the files are there).

Jamie Strandboge (jdstrand) on 2018-12-13

Changed in ufw:
importance:	Undecided → Wishlist
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.