limkopi ☕️

security | dev | finance | life

github instagram
UFW + Docker: Running Hand in Hand?
Dec 18, 2018
3 minutes read

Uncomplicated Firewall (UFW) is the default firewall configuration tool for Ubuntu. It’s easy to configure and easy to manage by an amateur like me. It’s disabled by default but you can enable UFW easily with the default set of rules like this:

sudo ufw enable

Now, in my setup I am running Ubuntu Server 16.04 as a virtual machine on my Macbook. In the server I have a Postgres container.

$ docker run --name test_postgres -e POSTGRES_PASSWORD=mysecretpassword -p 5432:5432 postgres 
$ docker ps -a | grep postgres
$ dd10fc032a12        postgres    "docker-entrypoint.s…"   28 seconds ago      Up 26 seconds                5432/tcp

The database can be accessible by other containers in the server but it should not be accessed by anyone outside of my virtual machine.

If you have paid attention to your networking lecture, the usual practice is to deny all incoming traffic and only allow some ports to be exposed to the outside world. In my case, I need SSH to be accessible outside of the host.

$ sudo ufw default deny incoming
Default incoming policy changed to 'deny'
$ sudo ufw allow ssh
Rule added
Rule added (v6)
$ sudo ufw reload
Firewall reloaded
$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)

This should be sufficient to help us block anyone from accessing our container in the server… or not.

To test that no one outside of the virtual machine can connect to the Postgres server, I used pgAdmin4 on my Macbook and attempted to establish a connection to the container. And guess what? I was actually able to connect to the Postgres instance successfully!

This cannot be right as we have already block all incoming traffic except for SSH services. So what has gone wrong? Now, let’s check our iptables:

$ sudo iptables --list | grep postgresql
ACCEPT     tcp  --  anywhere              tcp dpt:postgresql

Hah, so it turns out that Docker has modified iptables directly to allow the container to bind to port 5432. To prevent Docker from modifying iptables, we will need to set iptables key to be false in /etc/docker/daemon.json.

I didn’t have that file in my folder so I went ahead to create the file.

$ sudo vim /etc/docker/daemon.json

Following the guide, I added the following content in the file:

    "iptables": false

Lastly, I restarted Docker.

sudo systemctl restart docker

Andddddddddddd it finally works!

The downside is that your docker can never be connected outside of your host machine by default. You can change the behaviour by adding appropriate rules via ufw or iptables.


category: dev

Back to posts