Ubuntu – UFW not blocking connections to docker instance

firewalliptablesnetworkingufw

I have a webservice running inside a docker instance which was run using the following command:

sudo docker run -d -p 4040:4040 ....

My UFW rules look like this:

~ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
4040                       DENY        Anywhere
22                         ALLOW       Anywhere (v6)
4040                       DENY        Anywhere (v6)

When I access the box directly via its IP, I can access port 4040. Why is the ufw rule not blocking it?

Note: As part of the docker installation, I changed

DEFAULT_FORWARD_POLICY="DROP"
to
DEFAULT_FORWARD_POLICY="ACCEPT"

in /etc/default/ufw as per dockers instructions here (http://docs.docker.io/en/latest/installation/ubuntulinux/#docker-and-ufw)

Best Answer

I had the same problem and resolved it by using IPTABLES instead.

Example to only allow 3306 from source ip xxx.xxx.xxx.xxx:

Adds an accept for source matching our ip to line 1 of the FORWARD chain

iptables -I FORWARD 1 -p tcp -i eth0 -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT

Drops all other connections on the FORWARD chain for that port

iptables -I FORWARD 2 -p tcp -i eth0 --dport 3306 -j DROP

Using the line numbers (1 & 2) forces the rules to be added above the ones created by docker such as:

-A FORWARD -d 0.0.0.0/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3306 -j ACCEPT

Related Solutions

Ubuntu – Confused with ufw

You should reset ufw to defaults and start over:

sudo ufw reset

This will disable ufw and reset ufw to it's installation defaults which means to

- deny all incoming and
- allow all outgoing connections.

Then just add some rules to allow incoming connections for the applications you want to use:

sudo ufw allow ssh
sudo allow http

Now you can enable ufw

sudo ufw enable

Now ufw is running and configured to deny all incoming connections except connections to the ports needed for ssh and http. Outgoing connections are always allowed and this is normally desired.

You don't need to add a deny-rule for incoming connections like in your configuration:

deny in on enp6s0 from any port 30:65535 proto tcp`

This rule is unnecessary, incoming connections are denied by default.

If you want to configure the outgoing connections more restrictive, you can add deny-rules rather then defaulting outgoing connections to deny, it keeps rules simpler, mostly you want outgoing connections to be allowed. Deny-rules for outgoing connections would have to be designed carefully.

sudo ufw deny out 6773

for example would deny all outgoing connections on port 6773, any application that would need to use this port wouldn't be able to work properly anymore.

Interfaces

Using more than one interface makes things a bit more complicated. The defaults (deny in, allow out) apply to all interfaces,also rules which don't specify an interface will apply to all interfaces. You want your interfaces to behave different, so you have to add rules for each interface.

The rules in the section above need to be adapted to match your external interface (the rules in your question look like that).

Outgoing connections are allowed by default on all interfaces but not incoming connections, so you only need to add an allow in-rule for each internal interface:

sudo allow in on "interface" from any

Rules Order

Another important thing is the rules order. When a package arrives at the interface, ufw will check the rules,one by one. Whenever a rule matches the rule will be applied and the package denied, rejected or allowed. The rest of the rules which have not been checked at this moment are not used then. In your case I don't see much relevance of the rule order,but we always have to remind that rule order may matter.

Best Answer

Related Solutions

Ubuntu – Confused with ufw

Interfaces

Rules Order

Related Question