kireal/ufw_docker

## ufw_docker
Running Docker behind the ufw firewall

Ubuntu ships with a very nice and simple frontend for iptables called ufw (uncomplicated firewall). Ufw makes it possible to setup a firewall without having to fully understand iptables itself. When you however are using Docker and you want to combine Docker with the ufw service. Things do get complicated.

The docker service talks directly to iptables for networking, basically bypassing everything that’s getting setup in the ufw utility and therefore ignoring the firewall. Additional configuration is required to prevent this behavior. The official Docker documentation however, seems to be incomplete.

Configure DEFAULT_FORWARD_POLICY and port 2375

Connections from docker containers get routed into the (iptables) FORWARD chain, this needs to be configured to allow connections through it. The default is to DROP the connections so a change is required:

Open “/etc/default/ufw”.
sudo nano /etc/default/ufw
Set DEFAULT_FORWARD_POLICY to “ACCEPT”.
DEFAULT_FORWARD_POLICY="ACCEPT"
Save the file.
Reload ufw.
sudo ufw reload
Allow connections on port 2375.
sudo ufw allow 2375/tcp
Prevent Docker from using iptables

Remember that docker talks directly to iptables and that this bypasses ufw rules? Well, there is a solution for that. Docker can be configured to run without iptables. This also requires a file change:

Open “/etc/default/docker".
sudo nano /etc/default/docker
Uncomment the line containing “DOCKER_OPTS”.
Add “—iptables=false” to that line.
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 —iptables=false"
Save the file.
restart the docker service.
service docker restart
By now docker should already be able to run behind the ufw firewall but there still some work to do.

Configure NAT in iptables

On the initial Docker start (before we configured —iptables=false) Docker has configured some NAT routing to allow networking within containers. This rule is still active but will disappear at reboot so after a reboot everything may stop working. No worries, we can manually set this up in the ufw configuration:

Open “/etc/ufw/before.rules”.
sudo nano /etc/ufw/before.rules
Add these lines JUST BEFORE “*filter”.
*nat
:PREROUTING ACCEPT [2056:123247]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:228]
:POSTROUTING ACCEPT [34:2100]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
Save the file.
Reboot the system to see if everything works.

Add ufw rules, add allow from docker default subnetwork
ufw allow from 172.17.0.0\16
ufw allow all prots for VPN container
ufw allow local_public_ip
connect to VPN
connect any services
	Running Docker behind the ufw firewall

	Ubuntu ships with a very nice and simple frontend for iptables called ufw (uncomplicated firewall). Ufw makes it possible to setup a firewall without having to fully understand iptables itself. When you however are using Docker and you want to combine Docker with the ufw service. Things do get complicated.

	The docker service talks directly to iptables for networking, basically bypassing everything that’s getting setup in the ufw utility and therefore ignoring the firewall. Additional configuration is required to prevent this behavior. The official Docker documentation however, seems to be incomplete.

	Configure DEFAULT_FORWARD_POLICY and port 2375

	Connections from docker containers get routed into the (iptables) FORWARD chain, this needs to be configured to allow connections through it. The default is to DROP the connections so a change is required:

	Open “/etc/default/ufw”.
	sudo nano /etc/default/ufw
	Set DEFAULT_FORWARD_POLICY to “ACCEPT”.
	DEFAULT_FORWARD_POLICY="ACCEPT"
	Save the file.
	Reload ufw.
	sudo ufw reload
	Allow connections on port 2375.
	sudo ufw allow 2375/tcp
	Prevent Docker from using iptables

	Remember that docker talks directly to iptables and that this bypasses ufw rules? Well, there is a solution for that. Docker can be configured to run without iptables. This also requires a file change:

	Open “/etc/default/docker".
	sudo nano /etc/default/docker
	Uncomment the line containing “DOCKER_OPTS”.
	Add “—iptables=false” to that line.
	DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 —iptables=false"
	Save the file.
	restart the docker service.
	service docker restart
	By now docker should already be able to run behind the ufw firewall but there still some work to do.

	Configure NAT in iptables

	On the initial Docker start (before we configured —iptables=false) Docker has configured some NAT routing to allow networking within containers. This rule is still active but will disappear at reboot so after a reboot everything may stop working. No worries, we can manually set this up in the ufw configuration:

	Open “/etc/ufw/before.rules”.
	sudo nano /etc/ufw/before.rules
	Add these lines JUST BEFORE “*filter”.
	*nat
	:PREROUTING ACCEPT [2056:123247]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [3:228]
	:POSTROUTING ACCEPT [34:2100]
	:DOCKER - [0:0]
	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
	-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
	Save the file.
	Reboot the system to see if everything works.

	Add ufw rules, add allow from docker default subnetwork
	ufw allow from 172.17.0.0\16
	ufw allow all prots for VPN container
	ufw allow local_public_ip
	connect to VPN
	connect any services