My firewall is blocking network connections from the docker container to outside

Question

For me this is a very standard setup, I had a ubuntu machine running docker and ufw as my firewall.

If my firewall is enable the docker instances is unable to connect to outside

$ docker run -i -t ubuntu /bin/bash
WARNING:  Docker detected local DNS server on resolv.conf. Using default external servers: [8.8.8.8 8.8.4.4]
root@d300c5f17207:/# apt-get update
Err http://archive.ubuntu.com precise InRelease
0% [Connecting to archive.ubuntu.com]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/InRelease  
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/Release.gpg  Temporary failure resolving 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

Here is the ufw log showing the blocked connections from the docker container.

$ sudo tail /var/log/ufw.log
Jun 30 15:41:56 localhost kernel: [61609.503199] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14886 DF PROTO=UDP SPT=60192 DPT=53 LEN=44 
Jun 30 15:42:01 localhost kernel: [61614.500867] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.4.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=16137 DF PROTO=UDP SPT=44812 DPT=53 LEN=44 
Jun 30 15:42:06 localhost kernel: [61619.498516] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14887 DF PROTO=UDP SPT=60192 DPT=53 LEN=44

I had try adding a rule using the ip.

$ sudo ufw allow in from 172.16.42.2
$ sudo ufw allow out from 172.16.42.2

And have no change is still blocked.

How can I esily allow all connections from the container to outside with a ufw rule?

score 26 · Answer 1 · answered Jan 13 '15 at 21:08

26

This fixed it for me:

 ufw allow in on docker0

answered Jan 13 '15 at 21:08

Bryan Larsen

9,468
8
56
46

This worked for me too, while I think that the first step is also needed, as rchampourlier pointed out in his answer: setting the ufw DEFAULT_FORWARD_POLICY's value to "ACCEPT" . – Heri Sep 26 '15 at 21:27
Update: Sorry, my above comment is wrong. Only Franchus solution worked finally, of course together with rchampourliers solution (I tested first i a wrong environment) – Heri Sep 27 '15 at 08:34
I did an allow on `docker_gwbridge` which was what the ufw block lines in syslog were reporting. Since I only wanted postgres, it was: ```$ sudo ufw allow in on docker_gwbridge to any port 5432``` ``` Rule added Rule added (v6) ``` – Blaskovicz Mar 06 '18 at 05:06

score 24 · Answer 2 · answered Jul 05 '13 at 23:45

24

Edit /etc/ufw/before.rules as follows:

In the *filter section, after the first block of required lines, add:

# docker rules to enable external network access from the container
# forward traffic accross the bridge 
-A ufw-before-forward -i docker0 -j ACCEPT
-A ufw-before-forward -i testbr0 -j ACCEPT
-A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT

At the end of the file, after the line that says COMMIT, add the following section:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.42.0/8 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

After saving the file, restart ufw with sudo ufw disable && sudo ufw enable

answered Jul 05 '13 at 23:45

Franchu

463
1
2
9

4

Thanks, Franchu, this did it. It would be nice if you would explain what all these settings finally mean (for me it's not really obvious). – Heri Sep 27 '15 at 08:36
3

Thanks, this helped. But keep in mind that this will not work for docker containers with an added subnet in docker-compose. If you definded the ip range e.g. 172.20.0.0/16, run ifconfig and add the new network interface (e.g. br-c0754ca0b709) in the *filter section. – Marcel Sep 08 '19 at 16:55

score 13 · Accepted Answer · answered Dec 28 '13 at 15:39

13

Maybe this is due to the current version, but the current answer doesn't work on my system (Docker 0.7.2 with base Ubuntu image).

The solution is explained here in the official Docker documentation.

For the lazy ones:

edit /etc/default/ufw to change DEFAULT_FORWARD_POLICY's value to "ACCEPT",
reload with [sudo] ufw reload.

This ensures ufw forward your traffic to the Docker's bridged network (as of my current understanding of these things...).

answered Dec 28 '13 at 15:39

Romain Champourlier

2,360
24
29

4

This is no longer sufficient solution for more recent docker versions on ufw. – ctbrown Nov 12 '17 at 16:55

score -1 · Answer 4 · answered Jan 14 '20 at 13:50

-1

i use next filters for docker networks

#docker swarm
sudo ufw allow 2376/tcp
sudo ufw allow 2377/tcp
sudo ufw allow 7946/tcp
sudo ufw allow 7946/udp
sudo ufw allow 4789/udp

answered Jan 14 '20 at 13:50

Ryabchenko Alexander

10,057
7
56
88

My firewall is blocking network connections from the docker container to outside

4 Answers4

Linked