Reputation: 3068
UFW to allow traffic from Docker
I have a development server with this UFW config:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp LIMIT Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
123/udp ALLOW OUT Anywhere
DNS ALLOW OUT Anywhere
80/tcp ALLOW OUT Anywhere
443/tcp ALLOW OUT Anywhere
22/tcp ALLOW OUT Anywhere
123/udp (v6) ALLOW OUT Anywhere (v6)
DNS (v6) ALLOW OUT Anywhere (v6)
80/tcp (v6) ALLOW OUT Anywhere (v6)
443/tcp (v6) ALLOW OUT Anywhere (v6)
22/tcp (v6) ALLOW OUT Anywhere (v6)
My problem is that this also blocks traffic internally from Docker.
I run a Docker container that maps 8000:8000 for http, and if I disable UFW I can make requests as expected. However, when UFW is enabled, I can't reach port 8000 even internally.
How do I allow this traffic for internal use? I want to access via ssh -L 8000:127.0.0.1:8000 example.com, so I don't want to open port 8000 for external access.
UPDATE:
Thinking that the problem might be that UFW also applies the rules to the loop-back interface I updated my rule with these new rules:
To Action From
-- ------ ----
Anywhere on lo ALLOW Anywhere
Anywhere on 127.0.0.1 ALLOW Anywhere
Anywhere (v6) on lo ALLOW Anywhere (v6)
Anywhere (v6) on 127.0.0.1 ALLOW Anywhere (v6)
Anywhere ALLOW OUT Anywhere on lo
Anywhere ALLOW OUT Anywhere on 127.0.0.1
Anywhere (v6) ALLOW OUT Anywhere (v6) on lo
Anywhere (v6) ALLOW OUT Anywhere (v6) on 127.0.0.1
This does not solve the problem.
Upvotes: 4
Views: 8446
Answers (1)
Reputation: 1951
ufw allow from <some_address> to any app <app_name>
The manpage states not to enter a port number:
You should not specify the protocol with either syntax, and with the extended syntax, use app in place of the port clause.
This probably means it will let <app_name> use whatever port it needs to
Other commands which might be useful:
ufw app info <app_name>
Which lists the information on <app_name>'s profile.
ufw app update <app_name>
Which updates <app_name>'s profile. You can use all to update all application profiles.
You can use the:
ufw app update --add-new <app_name>
command to add a new profile for <app_name> and update it, following the rules you set out with ufw app default <policy>.
App profiles are stored in /etc/ufw/applications.d and sometimes /etc/services.
For more information, to view the man page for ufw
man ufw
Update: Docker uses a private interface called docker0, you can allow access for docker to your host system.
You can use the information on the interface to create a rule, for example,
ufw allow out on docker0 from 172.17.0.0/16
Using the port, you can make this rule more strict by using the following command, for example
ufw allow out on docker0 from 172.17.0.0/16 port 80 proto tcp
Docker creates a new interface for containers and to view this, you can use the ifconfig command:
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:a4:5e:e9:9c txqueuelen 0 (Ethernet)
RX packets 87 bytes 17172 (17.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 117 bytes 14956 (14.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
This interface routes traffic through 172.17.xxx.xxx
Upvotes: 1
Related Questions
- What is the best practice of docker + ufw under Ubuntu
- Docker ufw connect to host machine
- ufw forbids docker container to connect to postgres
- Access host iptables and ufw from privileged Docker container
- Can't allow port in docker ubuntu container
- Docker localhost connection blocked by UFW
- how to secure docker containers with iptables
- Docker and UFW with real IP
- Ubuntu/UFW: How to tell Docker not to expose all ports?