I have a Linode setup and I've setup UFW to block ports, particularly 8080. I've reloaded the firewall and I'm still able to access the webapp through the web.
UFW:
Status: active
To Action From
-- ------ ----
787/tcp ALLOW Anywhere
8080 DENY Anywhere
787/tcp (v6) ALLOW Anywhere (v6)
8080 (v6) DENY Anywhere (v6)
I am running traefik on docker, and have the dashboard on port mapped to 8080 and am able to access the app via web. What is happening here? Isn't the rule for 8080 supposed to block the connection?
Solution:
Edit the daemon.json found in /etc/docker/daemon.json and add the following:
{ "iptables": false }
Save, and reload docker. This now prevents docker from modifying iptables and "sidestepping" ufw rules.
Access to ports opened via Docker port publishing is controlled either in the nat PREROUTING chain or in the filter FORWARD table. It's likely that your existing firewall rules are only affecting the filter INPUT table.
The canonical place to add rules for mediating access to Docker containers is DOCKER_USER chain in the filter table, which is called from the FORWARD chain.
For rules in the DOCKER_USER chain, you will need to use the port on which the container is listening, not the host port on which the service is published.