10

I've setup some rules on my ufw but I think it's just not blocking anything. This is its current status:

~# ufw status verbose

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
80                         ALLOW IN    Anywhere
27015:27115/udp            ALLOW IN    Anywhere
27015:27115/tcp            ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)
80 (v6)                    ALLOW IN    Anywhere (v6)
27015:27115/udp (v6)       ALLOW IN    Anywhere (v6)
27015:27115/tcp (v6)       ALLOW IN    Anywhere (v6)

As you can see, it is denying incoming connections by default and only allowing certain ports. But still, I've just setup a new service on port 8083 and I can access it from outside. Why is it so?

I've used a docker container to run this new service, in case it matters.

030
  • 5,901
  • 13
  • 68
  • 110
Ivan
  • 313
  • 1
  • 5
  • 11
  • Can you reload the UFW? Have you tried restarting the server? Are there rules in iptables? Please add `iptables -L` – Christopher Perrin Jun 18 '16 at 12:07
  • Thanks, looking at the iptables -L output I found out that docker directly edits the iptables. I can override this by changing the docker config – Ivan Jun 18 '16 at 13:08

1 Answers1

7

It looks like

Docker tampers directly with IPTables

. It is possible to override this behavior by adding --iptables=false to to the Docker daemon.

Edit /etc/default/docker and uncomment the DOCKER_OPTS line:

DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"

The author concluded the following:

  • UFW doesn’t tell you iptables true state (not shocking, but still).
  • Never use the -p option (or -P) in Docker for something you don’t want to be public.
  • Only bind on either the loopback interface or an internal IP.
030
  • 5,901
  • 13
  • 68
  • 110
Ivan
  • 313
  • 1
  • 5
  • 11