Configure UFW to manage Docker related connections
Revision as of 13:40, 15 July 2021 by Discorddigital (talk | contribs)
Prologue
This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely.
/etc/docker/daemon.json
Start by creating/editing following file: /etc/docker/daemon.json
{
"iptables": false
}
/etc/ufw/after.rules
Then you need to edit following file as well: /etc/ufw/after.rules
Make sure to paste following lines before the last line in the file which is COMMIT
# Put Docker behind UFW
*filter
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i ens3 -j ufw-user-input
-A DOCKER-USER -i ens3 -j DROP
# End Docker UFW rules
Once you've done this, execute following commands to apply your changes:
This will restart all your docker containers.
sudo systemctl restart ufw
sudo systemctl restart docker
Test your configuration to make sure the changes are working.