Search code examples
dockerhttpnginxiptablesufw

ufw seems not to block all ports (Ubuntu with Docker)


There is a server with Ubuntu 20. It has Docker installed, and several containers are running. The reverseproxy is a Nginx that should take traffic on 80 and 443, and route it to the containers. It works perfectly. But now I wanted to block all traffic (apart from 80, 443 and ssh) with ufw.

Somehow traffic on http ports 3000, 3001, 8081, 15672 (ports published by containers) still gets through.

Why? How to block all traffic using ufw?

ufw configuration

www@broowqh:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
9000                       ALLOW IN    Anywhere
3001                       DENY IN     Anywhere
3001/tcp                   DENY IN     Anywhere
3001/udp                   DENY IN     Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
9000 (v6)                  ALLOW IN    Anywhere (v6)
3001 (v6)                  DENY IN     Anywhere (v6)
3001/tcp (v6)              DENY IN     Anywhere (v6)
3001/udp (v6)              DENY IN     Anywhere (v6)

docker ps -a

CONTAINER ID   IMAGE                               COMMAND                  CREATED        STATUS         PORTS                                                                     NAMES
48709042d67f   nginx:1.23-alpine                   "/docker-entrypoint.…"   10 hours ago   Up 10 hours.   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp. reverseproxy
401d6576b3e0   adminer:4.8.1                       "entrypoint.sh docke…"   10 hours ago   Up 10 hours.   0.0.0.0:8081->8080/tcp, :::8081->8080/tcp                                 adminer
c47966cae717   postgres:14.1-alpine                "docker-entrypoint.s…"   10 hours ago   Up 10 hours.   5432/tcp                                                                  db                                                                                                                                                    
1c3709a07fb0   www:current                         "docker-entrypoint.s…"   15 hours ago   Up 10 hours.   0.0.0.0:3001->3001/tcp, :::3001->3001/tcp                                 www
db252e2833bc   postgrest/postgrest:v10.0.0         "/bin/postgrest"         18 hours ago   Up 10 hours.   0.0.0.0:3000->3000/tcp, :::3000->3000/tcp                                 api
68396bebcaa8   rabbitmq:3.9.13-management-alpine   "docker-entrypoint.s…"   19 hours ago   Up 10 hours.   0.0.0.0:5672->5672/tcp, 0.0.0.0:15672->15672/tcp                          broker

Nginx configuration

upstream www {
    server www:3001;
}

upstream api {
    server api:3000;
}

upstream adminer {
    server adminer:8080;
}

upstream rabbit {
    server broker:15672;
}

server {
    listen 80;
    listen [::]:80;

    server_name example.com

    location / {
        return 301 https://example.com$request_uri;
    }
}

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name example.com;

    ssl_certificate /etc/nginx/ssl/live/smartplaylist.me/example.crt;
    ssl_certificate_key /etc/nginx/ssl/live/smartplaylist.me/example.key;

    location /adminer/ {
        proxy_pass http://adminer/;
    }

    location /rabbit/ {
        proxy_pass http://rabbit/;
    }

    location /api/ {
        proxy_pass http://api/;
    }

    location / {
        proxy_pass http://www/;
    }
}

Solution

  • Docker bypasses the UFW rules and the published ports can be accessed from outside. You can publish the port onto a specific interface, e.g. 127.0.0.1:8080:80 which would publish the port 8080 on the host's loopback interface (127.0.0.1) to connect to a container's port 80, and that loopback interface is not externally accessible.

    With UFW you are modifying the INPUT rules, but docker adds it rules in PREROUTING table, that means you can't put filter rules at INPUT chain because it will never match and bypass all.