ufw

Docker ignores ufw with the default settings

Bug #1717648 reported by Kayvan Sylvan on 2017-09-16
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
ufw
Undecided
Unassigned

Bug Description

$ sudo ufw --version
ufw 0.35
Copyright 2008-2015 Canonical Ltd.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.1 (stretch)
Release: 9.1
Codename: stretch

The issue is described fully here: https://github.com/moby/moby/issues/4737

In a nutshell, Docker sets up tables and rules in the DOCKER table and FORWARD table to facilitate routing to containers. This effectively bypasses `ufw` rules if, for example, you have an nginx container running on your machine and trying to stop bots from scanning your website by running `ufw` commands to deny that traffic.

I'm asking if you can make some modification to `ufw` to be aware of Docker's setup and work with it?

As you can tell from the github issue referenced above, on the Docker side, this has remained a problem for a few years. I'm hoping that maybe the `ufw` folks can address it in a way that you can run Docker in its standard configuration, and have `ufw` put its rules at the beginning of the queue of rules that Docker uses.

Thanks!

summary: - ufw and Docker do not work well together
+ Docker ignores ufw with the default settings
Pavel Savchenko (asfaltboy) wrote :

The workaround I use, while a bit fragile, is like so:

1. disable docker's iptables updates by adding this to /etc/docker/daemon.json: {"iptables": false}

2. change DEFAULT_FORWARD_POLICY to "ACCEPT" in /etc/default/ufw

3. finally, add the following lines at the top of /etc/ufw/before.rules:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
COMMIT

Where 172.17.0.0 is my docker0 interface's network.

Of course I don't know what happens on next docker or ufw update, or whether there's a better way to make ufw aware of those DOCKER chains.
What I know for sure is that adding `ufw deny in on docker0` has no effect, which is odd.

Jamie Strandboge (jdstrand) wrote :

/etc/ufw/before.rules is a Debian conffile so you will be prompted on upgrade if there is a shipped ufw change (this file doesn't change often, so must ufw upgrades will not prompt). Modifying the before/after files and chains is the way to let ufw deal with other applications that manipulate the firewall (that's one of the reasons the files are there).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers