Difference between revisions of "Configure UFW to manage Docker related connections"

From DiscordDigital Wiki
Jump to navigation Jump to search
(Created page with "==Prologue== This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely. You c...")
 
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:
This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely.
This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely.


You can fix this by creating/editing following file: <code>/etc/docker/daemon.json</code><syntaxhighlight lang="json">
To fix this issue follow this guide to configure Docker and UFW to properly work together.
 
=== /etc/docker/daemon.json===
 
Start by creating/editing following file: <code>/etc/docker/daemon.json</code><syntaxhighlight lang="json">
{
{
"iptables": false
"iptables": false
}
}
</syntaxhighlight>Once done, you need to edit following file as well: <code>/etc/ufw/after.rules</code>
</syntaxhighlight>
 
=== /etc/ufw/after.rules===
Then you need to edit following file as well: <code>/etc/ufw/after.rules</code>
 
Make sure to paste following lines '''before''' the last line in the file which is <code>COMMIT</code>


Make sure to paste following lines '''before''' the last line in the file which is <code>COMMIT</code><syntaxhighlight lang="md">
Also adjust <code>ens3</code> to your default interface name.<syntaxhighlight lang="md">
# Put Docker behind UFW
# Put Docker behind UFW
*filter
*filter

Latest revision as of 16:10, 22 September 2021

Prologue

This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely.

To fix this issue follow this guide to configure Docker and UFW to properly work together.

/etc/docker/daemon.json

Start by creating/editing following file: /etc/docker/daemon.json

{
"iptables": false
}

/etc/ufw/after.rules

Then you need to edit following file as well: /etc/ufw/after.rules

Make sure to paste following lines before the last line in the file which is COMMIT

Also adjust ens3 to your default interface name.

# Put Docker behind UFW
*filter
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]

-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i ens3 -j ufw-user-input
-A DOCKER-USER -i ens3 -j DROP
# End Docker UFW rules

Once you've done this, execute following commands to apply your changes:

Small Warning.png This will restart all your docker containers.

sudo systemctl restart ufw

sudo systemctl restart docker

Test your configuration to make sure the changes are working.