ufw-docker icon indicating copy to clipboard operation
ufw-docker copied to clipboard

Published 20 hours ago verified publisher icon chaifeng

Blocked IP addresses still can access docker container (fail2ban)

Open LinqLover opened this issue 1 year ago • 3 comments

Thank you for this useful repo!

I followed the instructions to install the tool and forwarded a single docker container to the outside:

$ sudo ufw-docker status
[10] 172.18.0.2 5432/tcp        ALLOW FWD   Anywhere                   # allow my_postgres_db 5432/tcp my_postgres_db_network

And then banned a single IP (I did this manually, but later fail2ban should do that):

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 5432                       DENY IN     <the banned IP>
...
[ 3] 5432/tcp                   ALLOW IN    Anywhere                  
...
[10] 172.18.0.2 5432/tcp        ALLOW FWD   Anywhere                   # allow my_postgres_db 5432/tcp my_postgres_db_network
...
[12] 5432/tcp (v6)              ALLOW IN    Anywhere (v6)

Unfortunately, I can still access the docker container at this port from the banned IP. Even though accesses to other ports are banned as expected for the same IP. Any ideas what is going wrong here?

(Possibly related to #17)

LinqLover avatar Sep 11 '23 18:09 LinqLover

I have the same problem

baumheld avatar Jan 05 '24 21:01 baumheld

Have a look at the iptables chains which rules are first applied. Seems the ufw rules are applied before the fail2ban rules (named "f2b-...").

In addition ensure that fail2ban prepends the reject rules in the DOCKER-USER chain (or FORWARD chain), so they are applied before the ufw rules.

btw: we are using fail2ban as a container (https://github.com/linuxserver/docker-fail2ban -> https://github.com/linuxserver/fail2ban-confs/blob/master/README.md) and our fail2ban / ufw-docker setup works as expected.

vodasams57 avatar Jan 11 '24 06:01 vodasams57

It seems that fail2ban should deny fowording as well for blocking packet to docker container . the following conf works for me

/etc/fail2ban/action.d/ufw.conf

# Fail2Ban action configuration file for ufw
#
# You are required to run "ufw enable" before this will have any effect.
#
# The insert position should be appropriate to block the required traffic.
# A number after an allow rule to the application won't be of much use.

[Definition]

actionstart =

actionstop =

actioncheck =

actionban = [ -n "<application>" ] && app="app <application>"
            ufw insert <insertpos> <blocktype> from <ip> to <destination> $app &&
            ufw route insert <insertpos> <blocktype> from <ip> to <destination> $app

actionunban = [ -n "<application>" ] && app="app <application>"
              ufw delete <blocktype> from <ip> to <destination> $app&&
              ufw route delete <blocktype> from <ip> to <destination> $app


[Init]
# Option: insertpos
# Notes.:  The position number in the firewall list to insert the block rule
insertpos = 1

# Option: blocktype
# Notes.: reject or deny
blocktype = deny

# Option: destination
# Notes.: The destination address to block in the ufw rule
destination = any

# Option: application
# Notes.: application from sudo ufw app list
application =

# DEV NOTES:
#
# Author: Guilhem Lettron
# Enhancements: Daniel Black

watahani avatar Feb 17 '24 14:02 watahani