Ubuntu – UFW not blocking connections to docker instance


I have a webservice running inside a docker instance which was run using the following command:

sudo docker run -d -p 4040:4040 ....

My UFW rules look like this:

~ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
4040                       DENY        Anywhere
22                         ALLOW       Anywhere (v6)
4040                       DENY        Anywhere (v6)

When I access the box directly via its IP, I can access port 4040. Why is the ufw rule not blocking it?

Note: As part of the docker installation, I changed


in /etc/default/ufw as per dockers instructions here (http://docs.docker.io/en/latest/installation/ubuntulinux/#docker-and-ufw)

Best Answer

I had the same problem and resolved it by using IPTABLES instead.

Example to only allow 3306 from source ip xxx.xxx.xxx.xxx:

Adds an accept for source matching our ip to line 1 of the FORWARD chain

iptables -I FORWARD 1 -p tcp -i eth0 -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT

Drops all other connections on the FORWARD chain for that port

iptables -I FORWARD 2 -p tcp -i eth0 --dport 3306 -j DROP

Using the line numbers (1 & 2) forces the rules to be added above the ones created by docker such as:

-A FORWARD -d ! -i docker0 -o docker0 -p tcp -m tcp --dport 3306 -j ACCEPT

Related Question