Docker bypasses UFW security

janmottl · January 7, 2021, 6:13am

OS: Ubuntu 20.04.1 LTS
Docker: 20.10.2

Docker bypasses UFW security and opens http port which should be accessible only via openvpn.

Tips like suppressing iptables changes seem not be the right solution.

Is there any official Docker solution or recommnedation? Thanks

janmottl · January 7, 2021, 10:44am

Finally I have found this excelent solution. Docker containers are exposed only via openvpn like required

github.com

chaifeng/ufw-docker/blob/master/README.md#solving-ufw-and-docker-issues

To Fix The Docker and UFW Security Flaw Without Disabling Iptables
==================

[![Build Status](https://travis-ci.org/chaifeng/ufw-docker.svg)](https://travis-ci.org/chaifeng/ufw-docker)
[![chaifeng/ufw-docker-agent](https://img.shields.io/docker/pulls/chaifeng/ufw-docker-agent)](https://hub.docker.com/r/chaifeng/ufw-docker-agent)

- [English](#tldr)
- [中文](#太长不想读)

## TL;DR

Please take a look at [Solving UFW and Docker issues](#solving-ufw-and-docker-issues).

## Problem

UFW is a popular iptables front end on Ubuntu that makes it easy to manage firewall rules. But when Docker is installed, Docker bypass the UFW rules and the published ports can be accessed from outside.

The issue is:

1. UFW is enabled on a server that provides external services, and all incoming connections that are not allowed are blocked by default.

This file has been truncated. show original