ufw-docker
ufw-docker copied to clipboard
chaifeng
containers are still accessible publicly
I have run ufw-docker install but containers are still accessible publicly without opening any ports via ufw.
I guess the issue is that I have two nics. One public and one local. I added the public ip to the after.rules but that did not fix anything.
I tried resetting ufw and rebooting after adding the rules but still accessible.
Anyone got any idea on what the issue might be?
########## iptables -n -L DOCKER-USER ##########
Chain DOCKER-USER (0 references)
target prot opt source destination
ufw-user-forward all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 10.0.0.0/8 0.0.0.0/0
RETURN all -- 172.16.0.0/12 0.0.0.0/0
RETURN all -- 192.168.0.0/16 0.0.0.0/0
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
ufw-docker-logging-deny tcp -- 0.0.0.0/0 192.168.0.0/16 tcp flags:0x17/0x02
ufw-docker-logging-deny tcp -- 0.0.0.0/0 10.0.0.0/8 tcp flags:0x17/0x02
ufw-docker-logging-deny tcp -- 0.0.0.0/0 172.16.0.0/12 tcp flags:0x17/0x02
ufw-docker-logging-deny tcp -- 0.0.0.0/0 XX.XXX.XXX.X tcp flags:0x17/0x02
ufw-docker-logging-deny udp -- 0.0.0.0/0 192.168.0.0/16 udp dpts:0:32767
ufw-docker-logging-deny udp -- 0.0.0.0/0 10.0.0.0/8 udp dpts:0:32767
ufw-docker-logging-deny udp -- 0.0.0.0/0 172.16.0.0/12 udp dpts:0:32767
ufw-docker-logging-deny udp -- 0.0.0.0/0 XX.XXX.XXX.X udp dpts:0:32767
RETURN all -- 0.0.0.0/0 0.0.0.0/0
########## diff /etc/ufw/after.rules ##########
--- /etc/ufw/after.rules 2021-01-22 22:03:42.366124108 +0100
+++ /tmp/tmp.VUESxreQu9 2021-01-23 23:44:16.423945619 +0100
@@ -44,11 +44,9 @@
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
--A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d XX.XXX.XXX.X
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
--A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d XX.XXX.XXX.X
-A DOCKER-USER -j RETURN
Status: active
To Action From
-- ------ ----
[ 1] 1001 ALLOW IN Anywhere # ssh
[ 2] 192.168.0.3 4695 on enp3s0 ALLOW FWD Anywhere (out) # vnc
[ 3] Samba on enp3s0 ALLOW IN Anywhere # smb
[ 4] 172.20.0.3 443/tcp ALLOW FWD Anywhere # allow traefik 443/tcp
[ 5] 172.20.0.3 80/tcp ALLOW FWD Anywhere # allow traefik 80/tcp
[ 6] 172.20.0.16 49161/tcp ALLOW FWD Anywhere # allow rtorrent 49161/tcp
[ 7] 172.20.0.16 49161/udp ALLOW FWD Anywhere # allow rtorrent 49161/udp
[ 8] 172.20.0.6 32400/tcp ALLOW FWD Anywhere # allow plex 32400/tcp
Do you test with an external network? I don't mean using a public IP address inside the internal network.
The default firewall rules are open to the internal network.
How do I block the internal network? I got a container running on 80 and I've done sudo ufw deny 80 but it is still accessible.
Do you test with an external network? I don't mean using a public IP address inside the internal network.
The default firewall rules are open to the internal network.
Yes I tested from an external network. I never managed to figure out why I had this issue but I have since switched OS and entire setup (because of other reasons) so this is no longer an issue for me. I'll leave the issue open since other people seems to have the same issue or you can close it.
I have the same issue. I'm running Ubuntu 20.04 server. I have deleted all private subnet to test
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j RETURN
-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP
COMMIT
# END UFW AND DOCKER
And reboot server for sure It is expected that when running
docker run -d -p 8085:80 --name=nginx nginx:alpine
I'm not able to curl SERVER_IP:8085 from anywhere, even from internal network
But I'm still access the server from another machine
curl 10.40.253.4:8085
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
I have the same problem, I think it is to do with where the rules are put in the iptables. My standard ufw rules that i want to use to block all traffic to the server, are still added as the chain ufw-user-input which is after the ufw-docker script added ones in the chain ufw-user-forward, meaning that the allow all traffic to container rule for port 80 allows banned ip's in! as they are not processed as banned until after that rule. As i see it. Below is the pertinent part of my iptables in the order it is written:
Chain ufw-user-forward (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.31.0.3 tcp dpt:http
ACCEPT tcp -- anywhere 172.31.0.3 tcp dpt:https
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT all -- 10.0.0.0/8 anywhere
ACCEPT all -- 172.16.0.0/12 anywhere
ACCEPT all -- 192.168.0.0/16 anywhere
DROP all -- 148.252.128.251 anywhere #test ip for dropping
ACCEPT udp -- anywhere anywhere udp dpt:3478
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:6789
ACCEPT tcp -- anywhere anywhere tcp dpt:8843
I have solved this by changing /etc/ufw/after.rules to
# BEGIN UFW AND DOCKER
*filter
:ufw-user-input - [0:0] #added line to allow processing of user-input rules in filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-input #added line to process user-input rules first
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
-A DOCKER-USER -j RETURN
-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP
COMMIT
# END UFW AND DOCKER
THX!
Fixed for me:
https://github.com/chaifeng/ufw-docker/issues/33 https://github.com/moby/moby/issues/4737#issuecomment-1020229829
It didn't work for me. I am still able to access all containers publicly...