This is the first time i address such a network "problem" to solve with docker and i need some inputs.
This is my situation:
-
Ubuntu 14.04 running NginX, ufw as firewall and docker containers to run a PHP backend application.
-
Ufw default policy is set to DROP for both INPUT and OUTPUT, as well as for FORWARD.
-
sysctl rule:
net.ipv4.conf.all.forwarding = 0
My need:
- a container running in daemon mode, with port 8888/tcp which accept connections from the outside but ONLY from ip 8.8.8.8 and, also, port 4444/tcp which listen from localhost
My problem:
Ufw is set to accept incoming connections on port 8888/tcp ONLY from ip 8.8.8.8. Hence, basically:
sudo ufw allow in from 8.8.8.8 to any port 8888 proto tcp
Then, i run the container with:
docker run -p 8888:8888/tcp -p 127.0.0.1:4444:4444/tcp [other options ]
Afterwards, running nmap -p 8888 45.45.45.45
from a machine which have NOT the ip = 8.8.8.8, i expect to get port filtered
.
But….
Host is up (0.056s latency).
PORT STATE SERVICE
8888/tcp open unknown
I have then tried to run the container again without -p 8888:8888/tcp
and then i tried to run again the nmap, and…
Host is up (0.061s latency).
PORT STATE SERVICE
8888/tcp filtered unknown
Therefore, it seems that, correct me if i am wrong, docker rules override ufw's ones.
I have then searched a way to allow incoming traffic in a container only from a specific address, and i found something like:
iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
And it worked:
PORT STATE SERVICE
8888/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds
My question is then:
is the solution above right for my case? i mean: acting like above, i am overriding ufw rule allow in from 8.8.8.8 to any port 8888 proto tcp
with a docker rule that says "expose ports only if traffic comes from ip 8.8.8.8 " … is this the right approach?
would not be better to leave ufw do the "bad work" of drop unwanted packets and then just forward traffic from filtered ports to docker? is there a way to do this?
I would avoid this solution because being an iptable rule of the DOCKER chain, that rule involves all the containers i currently have or i will have.
Thank you.
Best Answer
On Linux, both ufw and docker's rules are implemented on top of netfilter. So is
iptables
. So it is not possible to get ufw to do some things and get docker rules to do others - all those things will be done by the single underlying netfilter subsystem.The command
iptables-save
is useful to dump out everything that has been configured for netfilter, including docker rules and ufw, and then (with some effort) you can follow through the chains and see what it is doing.