Difference between revisions of "Configure UFW to manage Docker related connections"
(Created page with "==Prologue== This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely. You c...") |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely. | This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely. | ||
To fix this issue follow this guide to configure Docker and UFW to properly work together. | |||
=== /etc/docker/daemon.json=== | |||
Start by creating/editing following file: <code>/etc/docker/daemon.json</code><syntaxhighlight lang="json"> | |||
{ | { | ||
"iptables": false | "iptables": false | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== /etc/ufw/after.rules=== | |||
Then you need to edit following file as well: <code>/etc/ufw/after.rules</code> | |||
Make sure to paste following lines '''before''' the last line in the file which is <code>COMMIT</code> | |||
Also adjust <code>ens3</code> to your default interface name.<syntaxhighlight lang="md"> | |||
# Put Docker behind UFW | # Put Docker behind UFW | ||
*filter | *filter |
Latest revision as of 16:10, 22 September 2021
Prologue
This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely.
To fix this issue follow this guide to configure Docker and UFW to properly work together.
/etc/docker/daemon.json
Start by creating/editing following file: /etc/docker/daemon.json
{
"iptables": false
}
/etc/ufw/after.rules
Then you need to edit following file as well: /etc/ufw/after.rules
Make sure to paste following lines before the last line in the file which is COMMIT
Also adjust ens3
to your default interface name.
# Put Docker behind UFW
*filter
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i ens3 -j ufw-user-input
-A DOCKER-USER -i ens3 -j DROP
# End Docker UFW rules
Once you've done this, execute following commands to apply your changes:
This will restart all your docker containers.
sudo systemctl restart ufw
sudo systemctl restart docker
Test your configuration to make sure the changes are working.