Why is this docker image allowed past the firewall?

Question

I'm running a docker container that has the port 9000:9000 binding to the host, but I also have ufw enabled. The only ports I've allowed are 22, 80, 443.

So why is it that I'm able to connect to this container using the host's IP address? Shouldn't port 9000 be blocked by ufw?

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                      NAMES
14417c4f71fb        dockerui/dockerui   "/dockerui"              2 seconds ago       Up 2 seconds        0.0.0.0:9000->9000/tcp     docker_ui

root@docker:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

Aren't all ports blocked by default when you enable ufw?

score 2 · Accepted Answer · answered Feb 20 '16 at 03:05

2

Docker silently modifies iptables. You can start the Docker daemon with the --iptables=false option by editing DOCKER_OPTS in /etc/default/docker

answered Feb 20 '16 at 03:05

kliew

3,073
1
14
25

Seriously. That's kind of scary because it doesn't show up in the ufw list as open. – Reactgular Feb 20 '16 at 03:05
Yeah, I'm surprised that `iptables=false` is not the default option. – kliew Feb 20 '16 at 03:07

score 2 · Answer 2 · answered May 24 '20 at 07:54

As mentioned by @kliew, Docker will add its own iptables chain, granting access to all exposed ports and pre-empting any rules that you define using ufw.

If you're not comfortable completely disabling Docker's control over iptables, though, there is another documented way to have your own rules respected. From the same docs:

If you need to add rules which load before Docker’s rules, add them to the DOCKER-USER chain. These rules are applied before any rules Docker creates automatically.

Source: https://docs.docker.com/network/iptables/#add-iptables-policies-before-dockers-rules

This would preclude the use of ufw, though, because ufw only operates within its own iptables chains and doesn't give you control over the DOCKER-USER chain. You'll have to do this using iptables directly.

score 1 · Answer 3 · answered Jan 17 '18 at 07:38

1

Docker modifies iptables and UFW is not aware of this.

This answer describes what is happening and how to fix: https://stackoverflow.com/a/46266757

Please follow it.

answered Jan 17 '18 at 07:38

Te Ri

177
1
5

score 1 · Answer 4 · answered Feb 01 '19 at 22:53

adding "--iptables=false" is not a good solution as I said here https://stackoverflow.com/a/54486957/1712906

a better solution is to add these lines to /etc/ufw/after.rules

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER

score 0 · Answer 5 · answered Mar 28 '23 at 20:36

For me "--iptables=false" did not work and my system doesn't uses ufw, so I created another method. OS Ubuntu/Debian.

Created directory named iptables in /etc/.

mkdir /etc/iptables
cd /etc/iptables

Here I saved the rules from the currently working iptables.

iptables-save > rules.v4 # IPv4 iptables rules
ip6tables-save > rules.v6 # IPv6 iptables rules

Added the following lines in /etc/rc.local

#  Flush iptables rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
#  Restore iptables rules from files
iptables-restore < /etc/iptables/rules.v4     # Restore ipv4 rules
ip5tables-restore < /etc/iptables/rules.v6    # Restore ipv6 rules

Now at every reboot the iptables rules will be flushed and restored from /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

If you want to modify the ipv4 rules or add more rules you can do it in /etc/iptables/rules.v4 then execute iptables-restore < /etc/iptables/rules.v4. If you want to modify the ipv6 rules or add more rules you can do it in /etc/iptables/rules.v6 then execute ip6tables-restore < /etc/iptables/rules.v6.

Why is this docker image allowed past the firewall?

5 Answers5