Make Docker play nicely with UFW on Ubuntu

[ndarilek]

UFW is Ubuntu's Uncomplicated FireWall. It lets you easily set up block/allow rules with a single command.

Unfortunately, it doesn't play nicely with Docker because they both configure IPTables. A container with ip_forward set to 1 cannot communicate outside of itself, but running:

ufw disable

brings down the firewall and everything starts working fine.

I'm fairly sure it is possible for packages to add UFW configuration such that their own behaviors can be supported, but I'm not immediately sure how. This may be the cause of various network issues under Ubuntu, so making Docker play nicely with UFW might resolve a number of issues for folks.

[vieux]

Hi,

When you turn UFW on, it uses a default set of rules (profile) that
should be fine for the average home user.
That's at least the goal of the Ubuntu developers. In short, all 'incoming'
is being denied, with some exceptions to
make things easier for home users.

Maybe one day, Docker will be part of the exceptions 😃

I'm not sure that adding a rule to ufw in our package is the right thing to do (for security reasons).
I think if you want to enable ufw, you have to add the right rules for docker:

sudo ufw allow 4243/tcp

What do you think @shykes @samalba ?

[shykes]

Does ufw also deny connections to 127.0.0.1:4243 ?

On Fri, Jul 26, 2013 at 9:30 AM, Victor Vieux notifications@github.comwrote:

Hi,

When you turn UFW on, it uses a default set of rules (profile) that
should be fine for the average home user.
That's at least the goal of the Ubuntu developers. In short, all 'incoming'
is being denied, with some exceptions to
make things easier for home users.

Maybe one day, Docker will be part of the exceptions [image: 😃]

I'm not sure that adding a rule to ufw in our package is the right thing
to do (for security reasons).
I think if you want to enable ufw, you have to add the right rules for
docker:

sudo ufw allow 4243/tcp

What do you think @shykes https://github.com/shykes @samalbahttps://github.com/samalba?

—
Reply to this email directly or view it on GitHubhttps://github.com/dotcloud/docker/issues/1251#issuecomment-21631993
.

[ndarilek]

IIRC it only blocks external connections to 4243 by default. Everything
works fine for me until I'm in a container and attempt to connect out,
at which point I can't ping any IP even with ip_forwarding set to 1.
Would a blocked connection to 4243 cause that?

[vieux]

@ndarilek it's because docker uses a bridge and ufw's default forward policy is to DROP, a quick fix is to ALLOW forwarding:

sudo nano /etc/default/ufw
----
# Change:
# DEFAULT_FORWARD_POLICY="DROP"
# to
DEFAULT_FORWARD_POLICY="ACCEPT"

[ndarilek]

Yes, this works for me. Thanks.

[joevandyk]

For what it's worth, I haven't touched ufw at all with Ubuntu 12.04, and everything seems to be working fine.

[vieux]

I'm not sure ufw is enable by default.

On Wed, Aug 7, 2013 at 11:42 PM, Joe Van Dyk notifications@github.comwrote:

For what it's worth, I haven't touched ufw at all with Ubuntu 12.04, and
everything seems to be working fine.

—
Reply to this email directly or view it on GitHubhttps://github.com/dotcloud/docker/issues/1251#issuecomment-22286603
.

Victor VIEUX
http://vvieux.com

[crosbymichael]

Closing because the documentation updates have been merged.

[honi]

What about using ufw to limit access to an exposed port from a docker container?
Say I have a redis container exposed through the host, and I want to deny all traffic except if it comes from a specific IP.

$ docker run -d -p <HostIP>:6379:6379 redis
$ ufw allow from <OtherHostIP> to <HostIP> port 6379
$ ufw deny to <HostIP>

This does not work for me. I can connect from any host to the redis container. Maybe my configuration is wrong. Any help is welcomed!

I think my problem is described in #4737.