Situation
I'm trying to learn how to use docker on my local machine. The local machine is set up to only route traffic through a VPN. The default UFW policy is to DENY all incoming and outgoing traffic (except through a VPN).
Problem
When I try to launch a Docker container docker container run -p 80:80 nginx, I cannot connect to the nginx container using localhost in my browser.
However, I can connect to the local nginx container through telnet
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
The reason I know that UFW may be causing this is because once I disable UFW, I'm able to connect to localhost in the browser with no problem.
Question
How do I connect to my local nginx container from my browser when UFW is set to deny all connections?
I found the solution to my problem.
Solution
ufw allow out on docker0 from 172.17.0.0/16
Since I know the specific port that nginx uses, I can also make this rule more strict by doing
ufw allow out on docker0 from 172.17.0.0/16 port 80 proto tcp
Explanation
Docker creates a new interface for containers and you can see it by running ifconfig:
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:a4:5e:e9:9c txqueuelen 0 (Ethernet)
RX packets 87 bytes 17172 (17.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 117 bytes 14956 (14.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
This interface routes traffic through 172.17.xxx.xxx. You can read more about how I found that netmask here.
This gives us all the information we need to write a rule. If you are publishing the container on a different port, you can check for the port number and protocol by doing the following:
docker container lsdocker container port {id}