Quick Links

Surprisingly, Docker does not work out of the box with Linux's "Universal Firewall," or UFW. They both modify the same iptables configuration, and this can lead to misconfigurations exposing containers that weren't supposed to be public. Here's how to fix it.

Why Doesn't Docker Work With UFW?

UFW is intended to be a very simple firewall. The problem is that both UFW and Docker try to modify the same underlying firewall rules, and this conflict requires extra setup to sort out if you want to run UFW and Docker together.

If you set up a basic UFW firewall to deny by default and allow HTTP and SSH, this will appear secure---but it will not block Docker from starting containers bound to other ports. This issue can be hard to catch, as UFW and Docker are separate systems. UFW is unknowingly lying to you and will not show open ports from Docker containers.

This can be a major problem if you don't catch it. For example, perhaps you wanted to run an internal admin panel on port 8000, and whitelist it to your own IP address. While this isn't the most secure setup to begin with, it's usually alright, especially if the panel has additional authentication.

However, UFW will show the firewall rule as properly whitelisted, and it will of course be visible to you from your whitelisted location. But, if it's run through Docker, it will be visible on port 8000 from anywhere by default.

Fixing Docker's Config

There is a solution Docker provides, by editing 

        /etc/default/docker

 or 

        /etc/docker/daemon.json

 and simply turning off Docker's iptables functionality altogether: 

DOCKER_OPTS="--iptables=false"

This works, however, this is only a half solution. It disables Docker's ability to manage its own networking and can cause containers to not be able to access the internet at all out of the box. This can still work, but you'll need to manually maintain iptables rules for Docker containers and custom networks, which is complicated, annoying, and defeats the purpose of UFW's simplicity.

The real solution is complicated, but luckily is common enough that there's a helpful Github repo detailing the problem and the steps to fix it. Essentially, you need to modify UFW's config at /etc/ufw/after.rules to add the following block at the end: 

# BEGIN UFW AND DOCKER
    
    

            *filter
    
    

            :ufw-user-forward - [0:0]
    
    

            :ufw-docker-logging-deny - [0:0]
    
    

            :DOCKER-USER - [0:0]
    
    

            -A DOCKER-USER -j ufw-user-forward
    
    

            -A DOCKER-USER -j RETURN -s 10.0.0.0/8
    
    

            -A DOCKER-USER -j RETURN -s 172.16.0.0/12
    
    

            -A DOCKER-USER -j RETURN -s 192.168.0.0/16
    
    

            -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
    
    

            -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
    
    

            -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
    
    

            -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
    
    

            -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
    
    

            -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
    
    

            -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
    
    

            -A DOCKER-USER -j RETURN
    
    

            -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
    
    

            -A ufw-docker-logging-deny -j DROP
    
    

            COMMIT
    
    

            # END UFW AND DOCKER

You can do that manually, but there's a nice utility also provided in this repo that will automate it, and provide some helpful commands for checking the real firewall status. You can download it from this repo: 

sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
    
    

            sudo chmod +x /usr/local/bin/ufw-docker

Then, install the config, and restart UFW. 

ufw-docker install
    
    

            sudo systemctl restart ufw

Once restarted, the changes should apply automatically, but if they don't, you may need to restart Docker or your machine in general. Once it's enabled, the ports should all be properly blocked.

Whitelisting Docker Container Ports With UFW

This solution does require you to configure the port a little differently. The ufw-docker utility has a command that will selectively whitelist ports to specific Docker containers. 

ufw-docker allow httpd 80

However, if you want to use a more advanced rule, such as IP based whitelisting, you'll have to use ufw route allow 

ufw route allow proto tcp from 1.2.3.4 to any port 9443