This is my first time setting up an Ubuntu Server (14.04 LTS) and I am having trouble configuring the firewall (UFW).
I only need ssh
and http
, so I am doing this:
sudo ufw disable
sudo ufw reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw enable
sudo reboot
But I can still connect to databases on other ports of this machine. Any idea about what am I doing wrong?
EDIT: these databases are on Docker containers. Could this be related? is it overriding my ufw config?
EDIT2: output of sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
Best Answer
The problem was using the
-p
flag on containers.It turns out that Docker makes changes directly on your
iptables
, which are not shown withufw status
.Possible solutions are:
Stop using the
-p
flag. Use docker linking or docker networks instead.Bind containers locally so they are not exposed outside your machine:
docker run -p 127.0.0.1:8080:8080 ...
If you insist on using the
-p
flag, tell docker not to touch youriptables
by disabling them in/etc/docker/daemon.json
and restarting:{ "iptables" : false }
I recommend option 1 or 2. Beware that option 3 has side-effects, like containers becoming unable to connect to the internet.