My firewall is blocking network connections from t

2019-02-02 16:35发布

站内问答 / Docker
320 4 5

For me this is a very standard setup, I had a ubuntu machine running docker and ufw as my firewall.

If my firewall is enable the docker instances is unable to connect to outside

$ docker run -i -t ubuntu /bin/bash
WARNING:  Docker detected local DNS server on resolv.conf. Using default external servers: [8.8.8.8 8.8.4.4]
root@d300c5f17207:/# apt-get update
Err http://archive.ubuntu.com precise InRelease
0% [Connecting to archive.ubuntu.com]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/InRelease  
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/Release.gpg  Temporary failure resolving 'archive.ubuntu.com'
W: Some index files failed to download. They have been ignored, or old ones used instead.

Here is the ufw log showing the blocked connections from the docker container.

$ sudo tail /var/log/ufw.log
Jun 30 15:41:56 localhost kernel: [61609.503199] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14886 DF PROTO=UDP SPT=60192 DPT=53 LEN=44 
Jun 30 15:42:01 localhost kernel: [61614.500867] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.4.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=16137 DF PROTO=UDP SPT=44812 DPT=53 LEN=44 
Jun 30 15:42:06 localhost kernel: [61619.498516] [UFW BLOCK] IN=testbr0 OUT=eth0 PHYSIN=veth8Rj8Nh MAC=fe:ff:ed:42:b0:01:0a:7c:42:7c:a6:72:08:00 SRC=172.16.42.2 DST=8.8.8.8 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=14887 DF PROTO=UDP SPT=60192 DPT=53 LEN=44

I had try adding a rule using the ip.

$ sudo ufw allow in from 172.16.42.2
$ sudo ufw allow out from 172.16.42.2

And have no change is still blocked.

How can I esily allow all connections from the container to outside with a ufw rule?

4条回答
疯言疯语
2楼-- · 2019-02-02 16:41

Edit /etc/ufw/before.rules as follows:

In the *filter section, after the first block of required lines, add:

# docker rules to enable external network access from the container
# forward traffic accross the bridge 
-A ufw-before-forward -i docker0 -j ACCEPT
-A ufw-before-forward -i testbr0 -j ACCEPT
-A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT

At the end of the file, after the line that says COMMIT, add the following section:

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.42.0/8 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

After saving the file, restart ufw with sudo ufw disable && sudo ufw enable

查看更多
0人赞 添加讨论(0) 举报
老娘就宠你
3楼-- · 2019-02-02 16:46

Maybe this is due to the current version, but the current answer doesn't work on my system (Docker 0.7.2 with base Ubuntu image).

The solution is explained here in the official Docker documentation.

For the lazy ones:

  • edit /etc/default/ufw to change DEFAULT_FORWARD_POLICY's value to "ACCEPT",
  • reload with [sudo] ufw reload.

This ensures ufw forward your traffic to the Docker's bridged network (as of my current understanding of these things...).

查看更多
0人赞 添加讨论(0) 举报
【Aperson】
4楼-- · 2019-02-02 17:01

Are you sure that ufw allow the connection on the port concerned ?

查看更多
0人赞 添加讨论(0) 举报
霸刀☆藐视天下
5楼-- · 2019-02-02 17:04

This fixed it for me:

 ufw allow in on docker0
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)