0

The problem is:

On a server that has several interfaces, loopback, eth0 with public IP and several Docker virtual interfaces, I wanted to use UFW to deny all of the incoming traffic on eth0 for the other ports other than the ones that I specify.

To start I tried:

ufw deny in on eth0 from any to any

which got me the following status:

root@debian:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 80/tcp                     ALLOW IN    Anywhere
[ 3] 2222/tcp                   ALLOW IN    Anywhere
[ 4] Anywhere on eth0           DENY IN     Anywhere
[ 5] 22/tcp                     ALLOW IN    Anywhere (v6)
[ 6] 80/tcp                     ALLOW IN    Anywhere (v6)
[ 7] 2222/tcp                   ALLOW IN    Anywhere (v6)
[ 8] Anywhere (v6) on eth0      DENY IN     Anywhere (v6)

Which looks good but doesn't work.

I also tried to do ufw deny proto tcp from any

Although probably that's not what I want because It might block connections within linked Docker containers.

So, I'm thinking that either the raw rules have an error on them, or iptables is somehow not enabled at all (?! is that possible??).

So, for the first case the show raw can be found here http://pastebin.com/ABwVnx0S (I put it here because it is too big for ServerFault)

What is wrong with this?

Thanks!

João Antunes
  • 101
  • Your problem seems similar to a problem I have: http://serverfault.com/questions/692181/firewall-rules-not-restricting-access-to-docker-web-apps. The Docker daemon adds in its own rules. NAT rules for the private IP addresses for the containers and a custom DOCKER chain. I don't fully understand the routing, but these rules allow packets to be forwarded before they even hit the INPUT chain.

    As I'm running on Google Cloud I worked around it by applying the firewall rules at the project level, rather than machine level, but I still haven't found a solution for iptables on the machine.

     – Richard Corfield Jun 02 '15 at 13:28
  • Yes it does, thanks for the heads up, unfortunately I have no usable knowledge of iptables, that's why I was using UFW in the first place, I guess this means that UFW+Docker combo doesn't work and all I'm left is with bitting the bullet & learn iptables, or use an interface for that – João Antunes Jun 02 '15 at 13:37
  • your heads up lead me to google it differently and I got this: http://blog.viktorpetersson.com/post/101707677489/the-dangers-of-ufw-docker I'm gonna try it – João Antunes Jun 02 '15 at 13:38

0 Answers0