Iptables – Bind docker container ports only to specific outside server address

This is the first time i address such a network "problem" to solve with docker and i need some inputs.

This is my situation:

Ubuntu 14.04 running NginX, ufw as firewall and docker containers to run a PHP backend application.
Ufw default policy is set to DROP for both INPUT and OUTPUT, as well as for FORWARD.
sysctl rule: net.ipv4.conf.all.forwarding = 0

My need:

a container running in daemon mode, with port 8888/tcp which accept connections from the outside but ONLY from ip 8.8.8.8 and, also, port 4444/tcp which listen from localhost

My problem:

Ufw is set to accept incoming connections on port 8888/tcp ONLY from ip 8.8.8.8. Hence, basically:

sudo ufw allow in from 8.8.8.8 to any port 8888 proto tcp

Then, i run the container with:

docker run -p 8888:8888/tcp -p 127.0.0.1:4444:4444/tcp [other options ]

Afterwards, running nmap -p 8888 45.45.45.45 from a machine which have NOT the ip = 8.8.8.8, i expect to get port filtered.
But….

Host is up (0.056s latency).
PORT      STATE SERVICE
8888/tcp  open  unknown

I have then tried to run the container again without -p 8888:8888/tcp and then i tried to run again the nmap, and…

Host is up (0.061s latency).
PORT      STATE SERVICE
8888/tcp  filtered  unknown

Therefore, it seems that, correct me if i am wrong, docker rules override ufw's ones.

I have then searched a way to allow incoming traffic in a container only from a specific address, and i found something like:

iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP

And it worked:

PORT      STATE    SERVICE
8888/tcp  filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds

My question is then:

is the solution above right for my case? i mean: acting like above, i am overriding ufw rule allow in from 8.8.8.8 to any port 8888 proto tcp with a docker rule that says "expose ports only if traffic comes from ip 8.8.8.8 " … is this the right approach?

would not be better to leave ufw do the "bad work" of drop unwanted packets and then just forward traffic from filtered ports to docker? is there a way to do this?

I would avoid this solution because being an iptable rule of the DOCKER chain, that rule involves all the containers i currently have or i will have.

Thank you.

Best Answer

On Linux, both ufw and docker's rules are implemented on top of netfilter. So is iptables. So it is not possible to get ufw to do some things and get docker rules to do others - all those things will be done by the single underlying netfilter subsystem.

The command iptables-save is useful to dump out everything that has been configured for netfilter, including docker rules and ufw, and then (with some effort) you can follow through the chains and see what it is doing.

Best Answer

Related Solutions

Docker – connecting from docker container to docker host

Ubuntu – UDP Traffic from outside to docker container is dropped after container restart

Related Topic