Docker and UFW Firewall - Fixing the security flaw

Self-Hosting Oct 18, 2021

Jump to the fix

On Linux, Docker manipulates iptables rules to provide network isolation. While this is an implementation detail and you should not modify the rules Docker inserts into your iptables policies, it does have some implications on what you need to do if you want to have your own policies in addition to those managed by Docker.

If you’re running Docker on a host that is exposed to the Internet, you will probably want to have iptables policies in place that prevent unauthorized access to containers or other services running on your host. This page describes how to achieve that, and what caveats you need to be aware of. ~Docker Docs

What is UFW?

Uncomplicated Firewall (UFW) is a program for managing a netfilter firewall designed to be easy to use. It uses a command-line interface consisting of a small number of simple commands, and uses iptables for configuration. UFW is available by default in all Ubuntu installations after 8.04 LTS - Wikipedia

UFW Setup

Install:
Ubuntu/Debian: sudo apt install ufw
CentOS/Fedora: sudo dnf install ufw

Open/Allow Ports:
SSH: sudo ufw allow 22/tcp
HTTP: sudo ufw allow 80/tcp
HTTPS: sudo ufw allow 443/tcp

Enable UFW Firewall: sudo ufw enable

Security Flaw

We currently have a server setup with the commands above.

The host is unable to run services on port 8080, however the issue is that docker manages to bypass these restrictions.

To test this I'll fire up a basic apache container running on port 8080.

Apache docker-compose:

version: '2'
services:
    apache2:
        image: httpd:2.4
        ports:
            - 8080:80
Port 8080 in use due to the Docker security issue

Fixing the security flaw

  1. sudo nano /etc/default/docker
  2. Add: DOCKER_OPTS="--iptables=false"
  3. Restart the Docker service: sudo systemctl restart docker

All sorted!

Apache does not respond since port 8080 is now closed

Just don't forget to open ports when running a new service

For example:
HTTPS: sudo ufw allow 443/tcp
DNS: sudo ufw allow 53/udp

Comments

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.