Difference between revisions of "Configure UFW to manage Docker related connections"
Jump to navigation
Jump to search
m |
(Added information about network interface name.) |
||
| Line 12: | Line 12: | ||
=== /etc/ufw/after.rules=== | === /etc/ufw/after.rules=== | ||
Then you need to edit following file as well: <code>/etc/ufw/after.rules</code> | Then you need to edit following file as well: <code>/etc/ufw/after.rules</code> | ||
Make sure to paste following lines '''before''' the last line in the file which is <code>COMMIT</code><syntaxhighlight lang="md"> | |||
Make sure to paste following lines '''before''' the last line in the file which is <code>COMMIT</code> | |||
Also adjust <code>ens3</code> to your default interface name.<syntaxhighlight lang="md"> | |||
# Put Docker behind UFW | # Put Docker behind UFW | ||
*filter | *filter | ||
Revision as of 16:03, 15 July 2021
Prologue
This guide applies to Ubuntu 20.04. After you installed docker and setup UFW to block all connections by default, docker will bypass the firewall entirely.
/etc/docker/daemon.json
Start by creating/editing following file: /etc/docker/daemon.json
{
"iptables": false
}
/etc/ufw/after.rules
Then you need to edit following file as well: /etc/ufw/after.rules
Make sure to paste following lines before the last line in the file which is COMMIT
Also adjust ens3 to your default interface name.
# Put Docker behind UFW
*filter
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i ens3 -j ufw-user-input
-A DOCKER-USER -i ens3 -j DROP
# End Docker UFW rules
Once you've done this, execute following commands to apply your changes:
This will restart all your docker containers.
sudo systemctl restart ufw
sudo systemctl restart docker
Test your configuration to make sure the changes are working.