Docker – Blacklisting IPs with Docker, Traefik and DigitalOcean

dockerufw

I’m currently using Traefik on a digitalocean instance with Docker provider enabled. It’s working well with several containers (frontends and backends). The problem is that most DO IPs are recycled and the several that I’ve tried keep getting noisy traffic trying to “connect” to my root IP. I’ve tried searching everywhere but it seems DO firewall doesn’t support “deny” rules and Traefik bypasses local UFW settings since everything is thru Docker. Any suggestions on how I can blacklist a handful of bad IPs with this set up? My Traefik “health” dashboard is useless since the 307 requests are many magnitudes larger then regular traffic.

Thank you!

Best Answer

Looks like "for now" it is impossible with Traefik: https://github.com/containous/traefik/pull/4454

So you need something like fail2ban.

Related Solutions

Ubuntu – Using traefik and docker to securely expose some containers publicly

Can I set up the Docker containers so that some are only accessible inside the network and some outside?

Don't add the domains to your DNS. For your intranet containers use a domain such as myservice.myintranet.local, which won't be resolvable from the outside.

If you want extra security, you can create another entrypoint with an IP whitelist. Or you can use labels (read the last 2 rows of that table) if you prefer.

Can I setup traefik to handle routing of the traffic to the correct containers and also handle that some are "external" and som are internal only?

Traefik serves your container based on the Host header, so you only have to set up IP filtering (and not creating public DNS records) to protect intranet containers/domains from the outside while still allowing traffic to your public containers/domains.

Can I setup traefik's Let's encrypt integration to handle encryption of all "external" ardresses and keep my own CA's self signed wildcard certificate for my internal services?

I never tested this, but you could create another entrypoint and use that in your configuration of acme. Ex:

[entryPoints]
  ...
  [entryPoints.httpsle]
  address = ":443"
    [entryPoints.httpsle.tls]

[acme]
...
entryPoint = "httpsle"

And use that entrypoint with labels for your public sub-domains, to be signed automatically with Let's Encrypt.

How would I simplest set this up? Is using a virtual interface on my server (running Ubuntu) or using another dedicated ethernet port (it has two) the best way?

I think the better approach would be to assign your server 2 IPs in your LAN, one for each ethernet port.

How would I setup traefik to handle traffic on multiple interfaces?

You don't have to setup anything. Giving your server 2 IPs (one for public hosting and one for personal traffic/intranet), it will receive request to both of them. Traefik will then route the requests to the correct container, based on the Host header.

docker ufw – Why Does Docker Bypass UFW Rules Intermittently?

ufw shows only the ufw configuration and any rules inserted directly in your firewall configuration (with iptables directly or another tool such as docker) without going through ufw are NOT displayed.

Firewall rules in Linux are applied in the order they are listed. When you start a docker container docker will insert the rules your docker containers need before existing rules and the rule-set you maintain with ufw.

In other words Docker exposing a port takes precedence over a subsequent ufw rules closing a particular port.

Check for instance with [sudo] iptables-save what your effective rule set is.

As to why -p 127.0.0.1:8181:8080 works differently?
The firewall rule docker creates will still take precedence to your ufw rules, but rather than exposing the port on all interfaces, including to the public, you now instruct docker to be much more restrictive and only expose the port on localhost.

Best Answer

Related Solutions

Ubuntu – Using traefik and docker to securely expose some containers publicly

docker ufw – Why Does Docker Bypass UFW Rules Intermittently?

Related Topic