UFW firewall is not working on Ubuntu in DigitalOc

2020-05-29 15:49发布

问题:

In my DigitalOcean (DO) droplet I installed this image: Ubuntu Docker 17.12.0~ce on 16.04 (which is available on ** DO website > droplet> destroy> rebuild droplet**) , in ssh (after user configuration), I run

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo ufw status verbose

and get:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         LIMIT IN    Anywhere                  
2375/tcp                   ALLOW IN    Anywhere                  
2376/tcp                   ALLOW IN    Anywhere                  
22 (v6)                    LIMIT IN    Anywhere (v6)             
2375/tcp (v6)              ALLOW IN    Anywhere (v6)             
2376/tcp (v6)              ALLOW IN    Anywhere (v6) 

As you see, I don't allow any connections on port 80 (http). Ok to test that firewall really works I run following docker:

sudo docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:alpine

But when I go to chrome and type my droplet IP I see nginx response (!!!)

I try this also for Ubuntu 17 image (with docker installation by hand) but still get the same problem.

Conclusion: ufw firewall doesn't work at all in Ubuntu

Question: how to configure ufw/Ubuntu to fix this problem?

回答1:

Docker and UFW don't work together too well as they both modify iptables but there's a way to fix this. You'll need to configure Docker to not use iptables. Add

DOCKER_OPTS="--iptables=false"

to /etc/default/docker and restart your host (or restart the Docker daemon and UFW).

These two links have a lot more information about the issue:

https://blog.viktorpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html
https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/



回答2:

Doing this DOCKER_OPTS="--iptables=false" didn't work for me.

I suggest to add these lines at the end of /etc/ufw/after.rules

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER

This is the source https://github.com/chaifeng/ufw-docker



回答3:

Alternative solution: Drop UFW and instead use Network Firewall available in digital ocean control panel (on website).