ufw-docker
ufw-docker copied to clipboard
chaifeng
Doesn't work with IPV6
So I took a shot at trying to get this to work with IP V6 addresses with no luck. If I disable the ufw service i'm able to access my site using the V6 address, but when I enable ufw the connection times out. I found /etc/ufw/after6.rules and tried to modify it to work, but I must be doing something wrong. My guess is it's something with the V6 subnet.
# BEGIN UFW AND DOCKER
*filter
:ufw6-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s fe80::/10
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw6-user-forward
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d fe80::/10
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d fe80::/10
-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
Here is my ifconfig:
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::1 prefixlen 64 scopeid 0x20<link>
ether 02:42:0e:75:6d:9a txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ufw status
Status: active
Logging: off
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp ALLOW FWD Anywhere
443/tcp ALLOW FWD Anywhere
80/tcp (v6) ALLOW FWD Anywhere (v6)
443/tcp (v6) ALLOW FWD Anywhere (v6)
Sorry, I haven't tried IPv6 in Docker. This weekend I tried to set up a local IPv6 network by using VirtualBox, but not successful.
I checked our servers and found the IPv6 address of docker0 is like fe80::aaaa:bbbb:cccc:dddd, not fe80::1 you showed. I'm not sure if this is an issue?
From the document IPv6 with Docker | Docker Documentation we can see that the IPv6 address of docker0 is like 2001:db8::c008/125.
So sorry, I cannot help you now. But I would like to try IPv6 when I have time.
If you have any updates please let me know, thanks!
@chaifeng thank you for your timely response. I took a look at the documentation you mentioned and made the changes that they describe. It now looks like the docker0 interface has two versions of an IPv6 address. I will admit i'm pretty new to firewalls and very new to ufw so i'm not even sure what the best way to debug this would be. I don't really need IPV6 container support and I think it would be better to have the IPV6 requests to my server to be forwarded as IPV4, but i'm not sure how to do that.
The reason I found this issue was because I was unable to access my website from my phone when not connected to WIFI. My LTE connection has an IPV6 address which makes my site unreachable.
ifconfig:
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::1 prefixlen 64 scopeid 0x20<link>
inet6 2001:db8:1::1 prefixlen 64 scopeid 0x0<global>
ether 02:42:0e:75:6d:9a txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
I have updated my after6.rules to reflect the new address:
# BEGIN UFW AND DOCKER
*filter
:ufw6-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 2001:db8:1::/64
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw6-user-forward
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 2001:db8:1::/64
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 2001:db8:1::/64
-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
I enabled ufw logging and I can still see the request being blocked. The DST is my servers public IPV6 address.
Feb 17 19:23:03 smokey kernel: [1019599.765240] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:6c:1c:b2:84:78:ac:5a:19:41:86:dd SRC=2001:41d0:0008:e8ad:0000:0000:0000:0001 DST=x:x:x:x:x:x:x:x LEN=80 TC=0 HOPLIMIT=49 FLOWLBL=0 PROTO=TCP SPT=33144 DPT=443 WINDOW=14400 RES=0x00 SYN URGP=0
Feb 17 19:23:04 smokey kernel: [1019600.761464] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:6c:1c:b2:84:78:ac:5a:19:41:86:dd SRC=2001:41d0:0008:e8ad:0000:0000:0000:0001 DST=x:x:x:x:x:x:x:x LEN=80 TC=0 HOPLIMIT=49 FLOWLBL=0 PROTO=TCP SPT=33144 DPT=443 WINDOW=14400 RES=0x00 SYN URGP=0
Feb 17 19:23:06 smokey kernel: [1019602.765518] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:6c:1c:b2:84:78:ac:5a:19:41:86:dd SRC=2001:41d0:0008:e8ad:0000:0000:0000:0001 DST=x:x:x:x:x:x:x:x LEN=80 TC=0 HOPLIMIT=49 FLOWLBL=0 PROTO=TCP SPT=33144 DPT=443 WINDOW=14400 RES=0x00 SYN URGP=0
Does block unwanted traffic if the client is ipv6?
Since it only changes after.rules and not after6.rules I suspect that it may not block incoming traffic through ipv6.
I haven't experimented nor I have any knowledge about ipv6.
@Fazel94 No, currently it doesn't support IPv6. But the method is similar.
For the following code, you need to replace 10.0.0.0/8/172.16.0.0/12/192.168.0.0/16 with your internal IPv6 addresses. Then adding the changed code to end of the file /etc/ufw/after6.rules.
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
I don't have an IPv6 network environment for now, and I also not very familiar with IPv6, just used somewhere.
BTW, if you don't care about the IPv6, disable it for your servers.
If you care about it, disable IPv6 for docker, setting up a web reverse proxy and forward the IPv6 traffic to the Docker containers, it's an easier way.
@Fazel94 No, currently it doesn't support IPv6. But the method is similar.
For the following code, you need to replace
10.0.0.0/8/172.16.0.0/12/192.168.0.0/16with your internal IPv6 addresses. Then adding the changed code to end of the file/etc/ufw/after6.rules.# BEGIN UFW AND DOCKER *filter :ufw-user-forward - [0:0] :DOCKER-USER - [0:0] -A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 192.168.0.0/16 -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN -A DOCKER-USER -j ufw-user-forward -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 -A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 -A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 -A DOCKER-USER -j RETURN COMMIT # END UFW AND DOCKERI don't have an IPv6 network environment for now, and I also not very familiar with IPv6, just used somewhere.
BTW, if you don't care about the IPv6, disable it for your servers.
If you care about it, disable IPv6 for docker, setting up a web reverse proxy and forward the IPv6 traffic to the Docker containers, it's an easier way.
That helped me.
But i also had to change ufw-user-forward to ufw6-user-forward:
# BEGIN UFW AND DOCKER
*filter
:ufw6-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s fc00::/7
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw6-user-forward
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d fc00::/7
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d fc00::/7
-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
@chaifeng , my interest in the issue is about security, I propose you add it to README.md that the solution wouldn't block unwanted traffic in IPv6. I and several people I know faced security problems due to bad workings of UFW and docker on IPv4.
@Fazel94 @SnejPro could you please paste your solution if it works?
/etc/ufw/after.rules
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
/etc/ufw/after6.rules
# BEGIN UFW AND DOCKER
*filter
:ufw6-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s fc00::/7
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -j ufw6-user-forward
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d fc00::/7
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d fc00::/7
-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
After setting the cidr to be fixed in daemon.json like:
{
"ipv6": true,
"fixed-cidr-v6": "fc00::/80"
}
the IPv6 traffic got actually blocked correctly, but I am unable to allow access to specific Ports via IPv6. The recommended way ufw route allow proto tcp from any to any port 80 does not seem to work like this
After setting the cidr to be fixed in daemon.json like:
{ "ipv6": true, "fixed-cidr-v6": "fc00::/80" }the IPv6 traffic got actually blocked correctly, but I am unable to allow access to specific Ports via IPv6. The recommended way
ufw route allow proto tcp from any to any port 80does not seem to work like this
@LiohMoeller Have you found a solution on this?
I was able to set up IPv6 via ipv6nat.
Created a PR https://github.com/chaifeng/ufw-docker/pull/92 with fixes in the script to add IPv6 rules on ufw-docker install and ufw-docker allow
Perhaps it can be done better, but I tried not to change much of the existing code.
Docker ip6tables are disabled by default (even if you enable ipv6)
You have to enable ip6tables in Docker daemon settings (on version 23.0.0+).
See: https://forums.docker.com/t/docker-user-chain-for-ip6tables/133961
@Etheroit thanks for the tip, it works. I fixed the PR.
Np. I was struggling with this issue too and just came across this when trying to debug it. Pure coincidence and good timing I guess 😉, yet I think that's why it wasn't working properly for the rest?
@Etheroit thanks for the tip, it works. I fixed the PR.
Np. I was struggling with this issue too and just came across this when trying to debug it. Pure coincidence and good timing I guess 😉, yet I think that's why it wasn't working properly for the rest?
Nobody mentioned it here, I think that was the problem. When I googled, I found only a way with "ipv6nat" and decided to adapt it to ufw.
@GF-Huang I didn't notice that GitHub notified here about the merge in my own repository. My fixes are not accepted yet, but you can follow the instructions in the PR https://github.com/chaifeng/ufw-docker/pull/92 and install my script.