1

I’m currently using Traefik on a digitalocean instance with Docker provider enabled. It’s working well with several containers (frontends and backends). The problem is that most DO IPs are recycled and the several that I’ve tried keep getting noisy traffic trying to “connect” to my root IP. I’ve tried searching everywhere but it seems DO firewall doesn’t support “deny” rules and Traefik bypasses local UFW settings since everything is thru Docker. Any suggestions on how I can blacklist a handful of bad IPs with this set up? My Traefik “health” dashboard is useless since the 307 requests are many magnitudes larger then regular traffic.

Thank you!

Andres
  • 143
  • 1
  • 6

2 Answers2

2

Looks like "for now" it is impossible with Traefik: https://github.com/containous/traefik/pull/4454

So you need something like fail2ban.

Dmitry
  • 121
  • 3
2

The recommended method to update the firewall on a docker published port is with the DOCKER-USER table in iptables. You'll want to use conntrack to filter on the published port rather than the container port that docker changes it to before the filter rule runs:

iptables -I DOCKER-USER -i eth0 ! -s 10.0.0.0/24 -p tcp \
  -m conntrack --ctorigdstport 8080 -j DROP

In the above example, on interface eth0, request that do not come from the class C 10.0.0.0/24 subnet, to published port 8080, are dropped.

BMitch
  • 5,966
  • 1
  • 25
  • 32