service allow from ip

[mbarbeaux]

Hi,

Thanks for this amazing project. It works real good in swarm mode ! I was wondering if it is possible to restrain opening a service port for only a custom IP ?

eg something like sudo ufw-docker service allow my-service from 123.45.67.89 1234/tcp ?

Moreover, is it possible to open multiple ports at the same for a service ? Something like sudo ufw-docker service allow my-service 1234:1238/tcp ?

[chaifeng]

Thanks for using this small project.

About the second question, check this issue #5

Yes, I think it's possible to use more complicated rules for services. I will consider how to implement this feature.

[darklow]

Thanks for this tool. It would be great if you could post some examples on how to use this tool to limit ports per specific IP addresses as it is very common when you need to limit certain ports to certain IP addresses - to allow access from VPN or between specific instances, etc.

I tried using synxtax ufw allow route from IP_ADDRESS/32 to any port 1234 However firewall with config specified in this tool is rejecting such rule and it only works if I allow any IP address to this port.

[riker09]

I've recently encountered the same need. Forwarding ports to a service but only from my IP address (remote debugging).

I think the syntax should align with ufw:

# ufw
$ ufw route allow proto tcp from ${CUSTOM-IP-ADDR} to ${DOCKER-CONTAINER-IP} port ${PORT}

# ufw-docker
$ ufw-docker allow from ${CUSTOM-IP-ADDR} ${CONTAINER-NAME} ${PORT}/${PROTO}

[slhck]

I agree that this will be useful. In my case, I have:

• A database service running in Docker, exposing its port to the localhost (127.0.0.1:3306->3306/tcp)
• Another Docker container, from another docker-compose project, that should access this database via 172.17.0.1:3306.

At the moment, a connection from the host to 127.0.0.1:3306 is working, but not from another Docker container to 172.17.0.1:3306. It gets blocked by ufw:

May 23 12:03:20 hostname kernel: [30312236.628116] [UFW BLOCK] IN=br-… OUT= PHYSIN=veth… MAC=… SRC=172.20.0.3 DST=172.17.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45020 DF PROTO=TCP SPT=48138 DPT=3306 WINDOW=29200 RES=0x00 SYN URGP=0

[slhck]

The corresponding line is this:

https://github.com/chaifeng/ufw-docker/blob/master/ufw-docker#L98

Would it be enough to add a new parameter that specifies the from IP address?

[coltonrb]

@slhck I tried doing it manually with the following command

sudo ufw route allow proto tcp from 192.168.0.0/24 to any port 443

It still seems to be dropping the connections from the whitelisted IP range.

[chaifeng]

Is the container’s port 443? We must user container ports for the ufw command, not host ports.

Chai Feng

---

From: Colton B [email protected] Sent: Wednesday, July 3, 2019 18:46 To: chaifeng/ufw-docker Cc: Chai Feng; Comment Subject: Re: [chaifeng/ufw-docker] service allow from ip (#6)

@slhckhttps://github.com/slhck I tried doing it manually with the following command

sudo ufw route allow proto tcp from 192.168.0.0/24 to any port 443

It still seems to be dropping the connections from the whitelisted IP range.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/chaifeng/ufw-docker/issues/6?email_source=notifications&email_token=AAAZ24YOUFGTLBWFZBAH7XLP5TJU5A5CNFSM4GPJGMZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZFBB2Q#issuecomment-508170474, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AAAZ245UB5FEFGLZDNOMRDTP5TJU5ANCNFSM4GPJGMZQ.

[coltonrb]

Yes, it was the container's port (actually, it was both the container's port and the host's port, just to eliminate that variable).

[MuzammilM]

While the swarm agent works perfectly and thank you for writing this, any updates on whether this functionality has been added?

[dm17]

Also looking for this functionality. I don't care about per-container support - just predictably deny all to 443/80 + allow 1 IP to 443/80.

[chaifeng]

Hi guys,

I will begin implementing this feature.

The ufw-docker sub-commands will be like:

ufw-docker service allow from ${ip_address} to \
    service:${swarm_service_name} port ${service_port}

ufw-docker service allow proto tcp from ${ip_address} to \
    service:${swarm_service_name} port ${service_port}

ufw-docker service allow proto tcp from ${ip_address} to \
    service:all port ${service_port}

Thanks for your feedback!

[slhck]

That's great, thanks!

Just curious though, this will not just be for Swarm services, right? In practice one would probably specify the name of a container or particular docker compose service.

[chaifeng]

Yes,

That's great, thanks!

Just curious though, this will not just be for Swarm services, right? In practice one would probably specify the name of a container or particular docker compose service.

Ya, hopefully

[dm17]

Also looking for this functionality. I don't care about per-container support - just predictably deny all to 443/80 + allow 1 IP to 443/80.

OK, I think this functionality works fine... I was just using the wrong UFW commands. One must deny all, and then use this to allow per IP per port: ufw route allow proto tcp from the.ip.addr.0 to any port 443

[ocafebabe]

Has this feature been implemented yet?

[mlollo]

For people that have tried this before docker version 19.03.4 here some tests. I think the docker team did some changes on the FORWARD chain on docker 19.03.4 (released in 2019-10-17).

I have a nginx container : "docker run --name nginx -p 8080:80 -d nginx" I want only the 192.168.0.0/24 subnet to be able to access nginx server on 10.0.0.2:8080

• Host IP : 10.0.0.2
• Container IP : 172.16.0.2
• Client Subnet : 192.168.0.0/24
• UFW command : "ufw route allow proto tcp from 192.168.0.0/24 to 172.16.0.2 port 80".

1. On docker 19.03.3 => any ip can access the nginx server (with or wihout the UFW command)

test@test:~$ sudo iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER-USER  all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere

2. On docker 19.03.4 (and onwards) => only 192.168.0.0/24 subnet can access nginx server on 10.0.0.2:8080

test@test:~$ sudo iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere

You can see that in v19.03.4 the DOCKER-USER chain is on top of DOCKER-ISOLATION-STAGE-1 chain. I could assume this is the reason why the traffic is not filtered in v19.03.3 and in 19.03.4 it is filtered as expected.

[arbaldin]

Have this option been implemented? Need to expose the container, but limit the source addresses that could access them.

[sravzpublic]

Don't think this options is implemented. I tried this command but it does not work: sudo ufw allow from x.x.x.x to any port 8080 proto tcp Does anyone have any suggestion?

[mxwmnn]

I got it working to expose a container only to a whitelisted ip with the normal installation of ufw-docker and then execute the commands on the host

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' docker_container_name

Now we got the IP Adress from the Docker Container.

ufw route allow proto tcp from white_listed_ip to docker_container_ip port container_port

After that you can access the docker container from the whitelisted ip