Docker Community Forums

Share and learn in the Docker community.

UFW Docker Grant Access to to SPECIFIC IP:SPECIFIC PORT Docker Container for ONLY SPECIFIC IP


(Dockershmocker2017) #1

remote vnc GUI apps docker container sits on 1.2.3.4:6789:5900
and novnc sits on 1.2.3.4:7890:80

there are 36 IPs all attached to the same server all go to 1.2.3.4

external host port 6789 redirects incoming traffic to internal docker container’s port vnc 5900
external host port 7890 redirects incoming traffic to internal docker container’s port 80 nginx noVNC

I want to limit incoming traffic to VNC ONLY FROM MY IP 123.234.100.220, or IP RANGE 123.234.100.220/28

if ip address is not equal 123.234.100.220 then refuse access to VNC ip 1.2.3.4 with ports 6789, 7890, 5900, 80

docker ignores UFW

ufw allow from 123.234.100.220 proto udp to any port 6789
ufw allow from 123.234.100.220 proto udp to any port 7890
ufw allow from 123.234.100.220 proto tcp to any port 6789
ufw allow from 123.234.100.220 proto tcp to any port 7890

also how do I block only specific ip 1.2.3.4 with ports 6789,7890 ?

I cannot block port 80, because other docker container on different IP has web server running

Do I have to block internal port 5900?


(Raj Chaudhuri) #2

Docker manipulates iptables directly, and therefore can insert rules that overrule the UFW ones. When you do a port mapping with -ip, docker inserts the necessary rules directly into iptables, and UFW rules do not apply there. Docker also creates some NAT rules for container networking.

If you want to prevent this from happening, you have to configure docker to not manipulate iptables, and create the NAT rules yourself. To prevent docker from manipulating iptables, create or modify the file /etc/docker/daemon.json and ensure the following entry exists:

"iptables": false

For configuring the NAT rules, follow the instructions given in the following article:
https://svenv.nl/unixandlinux/dockerufw/

Do not follow the instructions in the section called “Prevent Docker from using iptables” in that article. The way to do that has changed. You now have to edit the daemon.json file as shown above.

After doing all this, restart docker and then configure your UFW rules.


(Dockershmocker2017) #3

easier was to make -p 127.0.0.1 docker
then connect via ssh -D socks5 vnc localhost via inside server’s network