UFW firewall is not working on Ubuntu in DigitalOcean

前端 未结 3 938
难免孤独
难免孤独 2021-02-02 02:42

In my DigitalOcean (DO) droplet I installed this image: Ubuntu Docker 17.12.0~ce on 16.04 (which is available on ** DO website > droplet> destroy> rebuild dropl

相关标签:
3条回答
  • 2021-02-02 03:01

    Alternative solution: Drop UFW and instead use Network Firewall available in digital ocean control panel (on website).

    0 讨论(0)
  • 2021-02-02 03:09

    Docker and UFW don't work together too well as they both modify iptables but there's a way to fix this. You'll need to configure Docker to not use iptables. Add

    DOCKER_OPTS="--iptables=false"
    

    to /etc/default/docker and restart your host (or restart the Docker daemon and UFW).

    These two links have a lot more information about the issue:

    https://blog.viktorpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html
    https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/

    0 讨论(0)
  • 2021-02-02 03:22

    Doing this DOCKER_OPTS="--iptables=false" didn't work for me.

    I suggest to add these lines at the end of /etc/ufw/after.rules

    # BEGIN UFW AND DOCKER
    *filter
    :ufw-user-forward - [0:0]
    :ufw-docker-logging-deny - [0:0]
    :DOCKER-USER - [0:0]
    -A DOCKER-USER -j ufw-user-forward
    
    -A DOCKER-USER -j RETURN -s 10.0.0.0/8
    -A DOCKER-USER -j RETURN -s 172.16.0.0/12
    -A DOCKER-USER -j RETURN -s 192.168.0.0/16
    
    -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
    
    -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
    -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
    -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
    -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
    -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
    -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
    
    -A DOCKER-USER -j RETURN
    
    -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
    -A ufw-docker-logging-deny -j DROP
    
    COMMIT
    # END UFW AND DOCKER
    

    Here the source.

    0 讨论(0)
提交回复
热议问题