Hi folks,
I just learned to use docker a bit and I would like to say that it is great. As I am using it on a Vserver I have got a security question.

First I have to say, that I am using ufw with the modification of: GitHub - chaifeng/ufw-docker: To fix the Docker and UFW security flaw without disabling iptables to make it work with docker. ufw-docker is running properly so far and doing its job.

For my containers I use a customnetwork (10.0.0.0/24), cause I don’t want docker to dhcp.

If I create firewall-rules for docker/dockercontainers I use the syntax (e.g.)

ufw route allow proto tcp from any to 10.0.0.3 port 443 comment 'Incoming all to NGINX Proxy'

10.0.0.3 = static IP of my docker-container (NGINX PM)

Question: Is it secure to allow traffic from external network directly to a docker container?
In my case the docker-container which is accessible from external is “only” the NGINX Proxy Manager.
The NPM itself is forwarding requests coming to defined FQDNs to the internal dockernetwork (customnetwork 10.0.0.x in my case)

Some DNS Question
I also noticed that containers running in my 10.0.0.x network are not able to resolve IPs until I give ufw a rule, that allows outgoing traffic from a container e.g:

10.0.0.5 = my Nextcloudcontainer

ufw route allow proto tcp from 10.0.0. 5 to any

Thank you very much!

Where would that traffic go if not directly to a Docker container? Since a container is just an isolated process, is not not less secure than just allowing any traffic into a physical machine or virtual machine. You can have any additional firewall in front of that machine.

What is the question? I only see an observation.

right! sorry. The question is, whether this is normal behaviour, but I reinstalled Docker once more and then it worked without this rule. (DNS lookups worked out of the box).

What concerns me most is, that you have to do a modification to make ufw work. (ufw-after rules as mentioned).

This will make ufw working in combination with iptables of docker.

So you can work with ufw (ufw route allow / deny…) and control the dataflow to dockercontainers also.

But what if you use the modification of ufw, with enabled docker-iptables and would like to use fail2ban or crowdsec directly on the dockerhost in addition to ufw & docker-iptables?

e.g.

Fail2ban is checking my ssh logs at hostlevel, blocking failed logins (max 2)
I also let Fail2ban check the logs of Nginx-Proxy-Manager in a docker-container, using /var/lib/docker/volumes/npm/logs/*.log

What happens now, if fail2ban gets triggered by some action in the NPM logs?
It will certainly set up a blockingrule with iptables.
But will this be the right rule to really block attempts against NPM, or will it just set up a rule only on the hostlevel and not for the dockercontainer?

As I am unsure about that, and my services are public facing, I did another test on a testmachine.

I disabled dockers-iptables-abilities. I know, this is not recommended cause it breaks the networking of docker (more or less).

That way UFW is working out of the box and I may control dataflow to the containers directly.
I think with this solution, I might also be able to use fail2ban (or even crowdsec) without interfering iptables of docker.

BUT: The containers cannot connect to the internet that way. I tried to figure out how to do a correct masquerading to let containers in my 10.0.0.x network to “talk” to the internet, but I cannot figure it out.

So is there a possibility, to make the containers accessible for the Internet (controlled by ufw) AND let the containers connect to the internet (withouth the docker-iptables enabled)?

Internal network of the containers (bridge), custom ip (10.0.0.0/24), physical nic ENS3?

Thanks!

I have no experience with fail2ban and I have only a little experience with ufw, but Docker has its own iptables chains and I think it has been used with Docker for a long time, so I don’t think it would be a problem. As for fail2ban, I don’t know how it modifies iptables rules, but there is a fail2ban image on Docker Hub, so I would be surprised if it was not compatible with Docker, since running Docker for only fail2ban would not make sense.

https://hub.docker.com/r/linuxserver/fail2ban

This is a really interesting question, but as I mentioned I am not an experienced UFW user so I would need to do some research and testing that I can’t do now unfortunately. Let’s hope someone else finds this topic who can help you more.

one thing that might work (just testing) is this:

if a action gets triggered now, ufw uses “route” to “block” ips, which means that this is working for the dockercontainer AND the host simultaneously. (as far as I tested for now)