Firewall – Why does UFW not block the ports that have been exposed using docker

dockerfirewallufw

I've setup some rules on my ufw but I think it's just not blocking anything. This is its current status:

~# ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
27015:27115/udp            ALLOW IN    Anywhere
27015:27115/tcp            ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
27015:27115/udp (v6)       ALLOW IN    Anywhere (v6)
27015:27115/tcp (v6)       ALLOW IN    Anywhere (v6)

As you can see, it is denying incoming connections by default and only allowing certain ports. But still, I've just setup a new service on port 8083 and I can access it from outside. Why is it so?

I've used a docker container to run this new service, in case it matters.

Best Answer

It looks like

Docker tampers directly with IPTables

. It is possible to override this behavior by adding --iptables=false to to the Docker daemon.

Edit /etc/default/docker and uncomment the DOCKER_OPTS line:

DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"

The author concluded the following:

UFW doesn’t tell you iptables true state (not shocking, but still).

Never use the -p option (or -P) in Docker for something you don’t want to be public.

Only bind on either the loopback interface or an internal IP.

Best Answer

Related Solutions

UFW/IPTables – Troubleshooting curl After Setting Default Outgoing Deny and Port 80 Allow

UFW/IPTables – How to Securely Allow Authenticated Git Access with GitHub

Related Topic