Is there an elegent way to use with docker-compose?

[Fazel94]

Hello and thank you for the good library, I solved the problem of a docker container as a docker-compose service to access the local services exposed on the host server by using the following command
sudo ufw allow in on br-122345655 from {docker_sub_net_cidr} to {host_server_ip} port {service_port}
But I wonder if there is a more elegant way to achieve the same result.
The ufw was blocking the port before adding the command.

[chaifeng]

Yes, I think there is.

Do you think the following commands meet your needs?

ufw-docker allow from project_name:service_name to host_server_ip port
ufw-docker deny from host_server_ip to project_name:service_name service_port

[dm17]

What's the difference between using ufw with docker & docker-compose? I didn't realize this was an idiosyncrasy.

[fcecagno]

I've got the same question. When running a container outside docker-compose, ufw allow 80 let the external network to connect to port 80 in the host (and then connect to the container), but with docker-compose it doesn't work the same way. I was wondering why it doesn't work - I'm not using ufw-docker, just the config on /etc/ufw/after.rules.

[dm17]

I've made a thread on the docker forum with my rationale as to why I think this should be more of Docker's responsibility: https://forums.docker.com/t/docker-containerization-of-iptables-complexity-simplification-request/83631

[Snuupy]

Yes, I think there is.

Do you think the following commands meet your needs?

ufw-docker allow from project_name:service_name to host_server_ip port
ufw-docker deny from host_server_ip to project_name:service_name service_port

This would meet my needs as well. Is this already implemented?

[dm17]

@fcecagno Did you end up figuring it out?

Judging by how many people use docker, and how few people seem to understand how it works with iptables - it seems safe to assume the world has a majority of docker-based services running with no firewall.

[fcecagno]

@dm17 yes, when using docker-compose, I use sudo ufw-docker allow traefik, and it creates the rules to allow external access to the container named traefik. It's not so good, because if the container restarts with a different IP, I need to reset ufw-docker. Also, when not using docker-compose, I'm using the after.rules + ufw allow forward to specific ports, it works fine.

[dm17]

I'm not sure about the IPs in docker changing... I thought it would be more reproducible than that - maybe we should ask your question on Docker forums? And then we could recommend sudo ufw-docker allow [unblocked containers] here for ufw-docker?

[fcecagno]

@dm17 I know from experience that if you do docker-compose down and then docker-compose up, the containers might change their IP addresses, that's why we'd need to run ufw-docker again to open the ports. It's smart enough to remove the previous rule and add the new one, so it's pretty cool.

[fcecagno]

it seems safe to assume the world has a majority of docker-based services running with no firewall.

Definitely! It's tricky to configure it properly. I think most people think ufw or iptables is blocking something, when in fact it isn't.

[belzebubek]

Thank you for all the comments. I'm using static IPs in compose so this method with 'ufw-docker allow containername' works fine for me. This is surprising that so few people care about proper firewall setup with docker!