UFW firewall is not working on Ubuntu in DigitalOcean

Question

In my DigitalOcean (DO) droplet I installed this image: Ubuntu Docker 17.12.0~ce on 16.04 (which is available on ** DO website > droplet> destroy> rebuild droplet**) , in ssh (after user configuration), I run

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo ufw status verbose

and get:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         LIMIT IN    Anywhere                  
2375/tcp                   ALLOW IN    Anywhere                  
2376/tcp                   ALLOW IN    Anywhere                  
22 (v6)                    LIMIT IN    Anywhere (v6)             
2375/tcp (v6)              ALLOW IN    Anywhere (v6)             
2376/tcp (v6)              ALLOW IN    Anywhere (v6)

As you see, I don't allow any connections on port 80 (http). Ok to test that firewall really works I run following docker:

sudo docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:alpine

But when I go to chrome and type my droplet IP I see nginx response (!!!)

I try this also for Ubuntu 17 image (with docker installation by hand) but still get the same problem.

Conclusion: ufw firewall doesn't work at all in Ubuntu

Question: how to configure ufw/Ubuntu to fix this problem?

some related info [here](https://stackoverflow.com/a/51741599/860099) — Kamil Kiełczewski, Feb 02 '19 at 07:03

score 26 · Accepted Answer · answered Mar 29 '18 at 18:59

26

Docker and UFW don't work together too well as they both modify iptables but there's a way to fix this. You'll need to configure Docker to not use iptables. Add

DOCKER_OPTS="--iptables=false"

to /etc/default/docker and restart your host (or restart the Docker daemon and UFW).

These two links have a lot more information about the issue:

https://blog.viktorpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html
https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/

answered Mar 29 '18 at 18:59

Oliver

11,857
2
36
42

12

In my case I had to edit `/etc/docker/daemon.json` to contain `{"iptables": false}`. There was a big warning above `/etc/default/docker` that `THIS FILE DOES NOT APPLY TO SYSTEMD` – user1556435 Sep 02 '19 at 13:39
I quote @user1556435 remark: the same held in my case. – EM90 Jul 03 '20 at 08:48
@user1556435 I did not find the `daemon.json` in my own host. Do I create it? – DaviesTobi alex Apr 20 '21 at 11:44
1

`DOCKER_OPTS="--iptables false"` removing the equal to sign worked for me – DaviesTobi alex Apr 20 '21 at 13:18
I tried this with a DigitalOcean droplet and it did help the process happen quicker, but, for me at least, it's not a complete fix. The firewall's still periodically blocking the significant number of connections that docker-compose makes. – Matthew Setter Oct 05 '21 at 13:32
This is not appropriate for most users: https://docs.docker.com/network/iptables/#prevent-docker-from-manipulating-iptables (Better solution on the top of the same page) – Morgy Feb 25 '22 at 09:40
@DaviesTobialex yes, to solve this problem you need to create `daemon.json` in `/etc/docker/` with this text `{"iptables": false}` and restart docker daemon (`sudo systemctl restart docker`) after this – Ningaro Jun 20 '22 at 23:54

score 13 · Answer 2 · edited Jan 25 '21 at 03:29

Doing this DOCKER_OPTS="--iptables=false" didn't work for me.

I suggest to add these lines at the end of /etc/ufw/after.rules

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

COMMIT
# END UFW AND DOCKER

Here the source.

score 2 · Answer 3 · answered Mar 30 '18 at 13:59

2

Alternative solution: Drop UFW and instead use Network Firewall available in digital ocean control panel (on website).

answered Mar 30 '18 at 13:59

Kamil Kiełczewski

85,173
29
368
345

3

DO firewall can't make a difference between public and private network, while with ufw you can easily configure different set of rules for public and private networks – Kirill Titov Jan 21 '19 at 22:12
Wow, this solved my problem. They should put a basic firewall on this kind by default in my opinion. – Shankar Thyagarajan Aug 18 '20 at 05:37

UFW firewall is not working on Ubuntu in DigitalOcean

3 Answers3

Linked