The docker manual (http://docs.docker.com/installation/ubuntulinux/#docker-and-ufw) states that it's nescessary to set UFWs DEFAULT_FORWARD_POLICY to "ACCEPT" so docker containers can reach each other.
-
What's the security implication of doing so on a server with publicly accessible network interfaces?
-
What should be done to secure such a docker host?
Best Answer
They seem to have solved this part of the problem, at least in the latest version 1.4.1. My FORWARD policy is to drop packets and inter-container communication works without problems.
Those are the standard rules in the FORWARD chain created by docker:
From bottom up:
No problems here. (Unless you want outgoing filters)
You can happily set FORWARD + INPUT policy to DROP/REJECT.
Now, you may want to provide a service on the internet. E.g. a simple webserver:
OK, now go to yourserver.com. You will see the default nginx page. Why? Docker added some special rules in iptables for you.
Those rules circumvent all of the ufw rules if there's a container listening. ufw does nothing in the nat table and Docker sets it's rules at the first place in the FORWARD chain. So it's not possible for you to block an IP address or do rate limiting of any kind.
Possible solutions:
--iptables=false
and do everything manually. Painstaking solution, because everytime you restart a container, it gets a new IP (for now, they plan to change that).-p 127.0.0.1:30080:80
and create your own iptables rules to get there.service docker start
. Altough a bit hacky it works...