I’ve recently learned that UFW firewall rules do not affect Docker containers. I am looking into learning firewall rules in depth but in the meantime I want make sure I don’t fuck something up, so here are a few questions:

1- On a host that drops all incoming connections (configured through UFW), if I have a container with only a single port mapping 127.0.0.1:8080:80 is there any way to access this container through the public internet, what about 8080:80 or no port mapping at all?

2- How do I drop all incoming connections to all Docker containers and do I need to do that? Similar to ufw default deny incoming?

3- Is there a way to see all incoming/outgoing connections of all containers?

Thanks in advance and any resource advice for securing docker for dummies is appreciated.

  • tux7350@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    2 months ago

    Oh boy I went down this same rabbit hole awhile ago. Here is a git repository that will explain why this happens and also offers a fix on how to modify your IP tables to ensure that docker respects the UFW.

    Docker and UFW

  • Max-P@lemmy.max-p.me
    link
    fedilink
    English
    arrow-up
    11
    ·
    2 months ago

    With Docker, the internal network is just a bridge interface. The reason most firewall rules don’t apply is a combination of:

    • Containers have their own namespace including network namespace, so each container have a blank iptables just for them.
    • For container communication, that goes through the FORWARD table, not the INPUT/OUTPUT ones.
    • Docker adds its own rules to ensure that this works as expected.

    The only thing that should be affected by the host firewall is the proxy service Docker uses to listen on a port on the host and send it to the container.

    When using Docker, each container acts like an independent machine, and your host gets configured to act as a router. You can firewall Docker containers, the rules just need to be in the right place to work.

    • Quail4789@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      Thanks, just to clarify, even if I deny all forwards on the host using UFW, that still won’t have an affect on Docker because Docker inserts its rules above UFW rules. Correct?

  • Rikudou_Sage@lemmings.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago
    1. For all the mentioned cases, if your firewall blocks incoming packets by default, no one can access it, no matter what is the source of the port being open.

    2. You don’t configure it on the docker level, at least if you care about outside connections. If you mean from your local computer to a docker container, by default you cannot connect, unless you expose the port to the system. If you mean from other docker containers, just create your own separate network to run the container in and even docker containers cannot access the ports.

    3. I usually use netstat -tulpn, it lists all ports, not only docker, but docker is included. docker ps should also show all exposed ports and their mappings.

    In general, all docker containers run on some internal docker network. Either the default or a custom one. The network’s ports don’t interfere with your own, that’s why you can have 20 nginx servers running in a docker container on the same port. When you bind a port in docker, you basically create a bridge from the docker network to your PC’s local network. So now anything that can connect to your PC can also connect to the service. And if you allow connection to the port from outside the network, it will work as well. Note that port forwarding on your router must be set up.

    So in conclusion, to actually make a service running in docker visible to the public internet, you need to do quite a few steps!

    • bind a port to your local host
    • have your local firewall allow connection to the port
    • have your router set up to forward connections on the port to your machine

    On Linux, local firewall is usually disabled by default, but the other two steps require you to actively change the default config. And you mention that all incoming traffic is dropped using UFW, so all three parts should be covered.

  • Dangerhart@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    I too read that it didn’t work with docker but that was not my experience on Ubuntu 24.04. Maybe it’s just docker desktop but I had all sorts of other issues with docker desktop and ditched it for plain docker, using lazydocker for an interface. I think one of the issues for outgoing connections at least is that IPs for the containers can change. I don’t remember exactly what my setup is currently but you shouldn’t have an issue opening up just specific ports mapped to a container while having default deny incoming. Not specific to containers but there are a few different Linux commands to get all ports and the processes listening on them, I used them extensively to debug my firewall setup. I can’t remember them either off the top of my head but you should be able to google for your distro.

    • Dangerhart@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      To add, you may not need to worry too much about setting up a firewall if your machine is behind a router/gateway that also has a firewall. There are arguments both ways, I would suggest researching that some. I did it because I could so why not, but I also only have wireguard exposed publicly so it may be over kill

  • BK85@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    3
    ·
    2 months ago

    Try tailscale for remote acess run it as a docker container. I csnt help you with the other questions.

    • Quail4789@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      2 months ago

      telling someone asking these questions to read up on networking is the same as telling someone who’s asking why they can’t fly in the air to “just” read up on physics

      • just_another_person@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        17
        ·
        2 months ago

        Then maybe you’re not equipped to be attempting this. It’s basic networking.

        If I ask and invite an electrician out to my house and proceed to tell him how I can just do it all myself, I deserve the horrible outcome.

        DF.

        • monkeyman512@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          arrow-down
          1
          ·
          2 months ago

          I think the important factor is that you have contributed nothing of value to help this person learn. You could have linked to a useful resources, you have suggested Google searches to point in the correct direction. But you basically said “This is easy, RTFM”. Next time at least send them the manual they should read.

            • monkeyman512@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              2 months ago

              Let’s say that yes, you pointed them to “networking”. The issue is that they have a specific problem and you are pointing to a topic so broad and deep with no specific direction. But you also say “it’s basic”. Well if it truly is basic and they still don’t get it, this would be a clear indication that they need some level of hand holding. Last if your feeling “that is a lot of work, I don’t want to do that” no problem you don’t have to. But in that that situation I would suggest reviewing before commenting: is it going to get the person closer to a solution? Is encouraging to the person? Am I indicating I also have this problem indicating someone else could step in and help multiple people at once? Is it funny? If it’s no on all those, maybe don’t comment.