ufw-docker icon indicating copy to clipboard operation
ufw-docker copied to clipboard
verified publisher icon chaifeng

Add IPv6 support

Open ghostiam opened this issue 2 years ago • 2 comments

https://github.com/chaifeng/ufw-docker/issues/8

For tests:

Enable IPv6 support in Docker by specifying ULA range (RFC 4193) in /etc/docker/daemon.json

{
  "experimental": true,
  "ipv6": true,
  "ip6tables": true,
  "fixed-cidr-v6": "fd00:dead:beef::/48"
}

Restart Docker

systemctl restart docker

Reinstall script:

sudo wget -O /usr/local/bin/ufw-docker \
  https://github.com/ghostiam/ufw-docker/raw/v6nat/ufw-docker
sudo chmod +x /usr/local/bin/ufw-docker
ufw-docker install
Output: 
--- /etc/ufw/after6.rules	2023-03-19 21:43:32.713888837 +0000
+++ /tmp/tmp.CPfwzQubwd	2023-03-19 21:43:35.341910743 +0000
@@ -25,3 +25,24 @@

 # don't delete the 'COMMIT' line or these rules won't be processed
 COMMIT
+# BEGIN UFW AND DOCKER
+*filter
+:ufw6-user-forward - [0:0]
+:ufw6-docker-logging-deny - [0:0]
+:DOCKER-USER - [0:0]
+-A DOCKER-USER -j ufw6-user-forward
+
+-A DOCKER-USER -j RETURN -s fd00:dead:beef::/48
+
+-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
+
+-A DOCKER-USER -j ufw6-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d fd00:dead:beef::/48
+-A DOCKER-USER -j ufw6-docker-logging-deny -p udp -m udp --dport 0:32767 -d fd00:dead:beef::/48
+
+-A DOCKER-USER -j RETURN
+
+-A ufw6-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
+-A ufw6-docker-logging-deny -j DROP
+
+COMMIT
+# END UFW AND DOCKER

Backing up /etc/ufw/after6.rules to /etc/ufw/after6.rules-ufw-docker~2023-03-19-214335~ Please restart UFW service manually by using the following command: sudo systemctl restart ufw

Run Nginx:

docker run --rm --name nginx -ti -p 8080:80 nginx

Allow rule:

ufw-docker allow nginx 80/tcp

allow nginx 80/tcp bridge ufw route allow proto tcp from any to 172.17.0.2 port 80 comment allow nginx 80/tcp bridge Rule added allow nginx_IPv6 80/tcp bridge ufw route allow proto tcp from any to fd00:dead:beef::242:ac11:2 port 80 comment allow nginx_IPv6 80/tcp bridge Rule added (v6)

Try connect:

curl -v -6 <IPv6>:8080

Get the real IP of the requester in the Nginx logs:

reda:cted:reda:cted:5400:2ff:fef5:bac7 - - [19/Mar/2023:21:35:38 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.68.0" "-"

ghostiam avatar Mar 19 '23 21:03 ghostiam

Does this get merged anytime soon?

byayex avatar Dec 10 '24 15:12 byayex

Thank you for this helpful PR, I'll check it soon.

chaifeng avatar Dec 16 '24 13:12 chaifeng