Introduction:
I’m not really sure how well this DANGEROUS situation is overall known but I will try to explain it just a bit here because I’m not a specialist neither in Docker, nor in Iptables nor in UFW.
Situation:
If for example you install Docker in you Linux system in, for example Ubuntu 18.x, and want to use UFW as firewall to block access from Internet to some internal ports offered by Docker Containers, you’re up for a bad surprise. Docker uses firewall rules which are seen Before the normal INPUT filter Iptables chains. The result is that all the ports offered by containers running in Docker are visible from Internet even if you blocked them in UFW firewall. That is a very dangerous situation where not-so-well-protected ports in docker containers could easily get hacked.
Half Workaround:
Although the issue is discussed in depth in the following forum:
https://github.com/moby/moby/issues/4737
the quick and dirty solution is the following:
Note: Please read this forum since the implications of doing so might break some inter-workings of your Docker containers.
Set DEFAULT_FORWARD_POLICY="ACCEPT"
in /etc/default/ufw
Set DOCKER_OPTS="--iptables=false"
in /etc/default/docker
On Ubuntu 18.04 things are different, because docker is started by systemd, so /etc/default/docker
is ignored. The solution described here creates the file /etc/systemd/system/multi-user.target.wants/docker.service with this content
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=false
and issue systemctl daemon-reload
afterwards.
Note: If you know of a more elegant solution, please send it as a comment and will be glad to include it here.