[{"data":1,"prerenderedAt":336},["ShallowReactive",2],{"Categories":3,"NavIndexCategoriesCountFooter":203,"content-\u002F2018\u002F09\u002F21\u002Fufw-with-docker\u002F":204},[4,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,68,70,71,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202],{"category":5},"System Administration",{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},"Software Development",{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":27},{"category":27},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":5},{"category":27},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":27},{"category":27},{"category":67},"Drones & RC",{"category":69},"DIY Projects",{"category":67},{"category":72},"Photography",{"category":69},{"category":69},{"category":69},{"category":67},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":69},{"category":67},{"category":69},{"category":69},{"category":67},{"category":67},{"category":72},{"category":72},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":5},{"category":5},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":5},{"category":67},{"category":67},{"category":72},{"category":72},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":67},{"category":72},{"category":67},{"category":138},"3D Printing - Laser Cutting - CNC",{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":138},{"category":5},{"category":138},{"category":27},{"category":27},{"category":138},{"category":138},{"category":72},{"category":158},"Photography,3D Printing - Laser Cutting - CNC",{"category":27},{"category":27},{"category":69},{"category":27},{"category":27},{"category":27},{"category":27},{"category":5},{"category":67},{"category":5},{"category":5},{"category":27},{"category":27},{"category":27},{"category":27},{"category":27},{"category":69},{"category":27},{"category":27},{"category":27},{"category":27},{"category":181},"Home Assistant",{"category":181},{"category":72},{"category":27},{"category":27},{"category":72},{"category":138},{"category":5},{"category":72},{"category":72},{"category":138},{"category":27},{"category":181},{"category":181},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},{"category":72},191,{"id":205,"title":206,"body":207,"category":5,"date":321,"description":213,"embedImage":322,"extension":323,"image":322,"intro":322,"meta":324,"navigation":325,"path":326,"seo":327,"series":322,"sitemap":328,"stem":329,"tags":330,"__hash__":335},"content\u002F2018\u002F09\u002F21\u002Fufw-with-docker.md","UFW with Docker",{"type":208,"value":209,"toc":318},"minimark",[210,214,227,230,233,236,239,250,253,256,263,266,269,275,278,284,287,290,293],[211,212,213],"p",{},"Having recently moved a server from one machine to another - I wanted a simpler firewall to deal with than directly playing with iptables.",[211,215,216,217],{},"So I googled, found and installed UFW - I'm using debian so I used this ",[218,219,226],"a",{"href":220,"rel":221,"target":225},"https:\u002F\u002Fwiki.debian.org\u002FUncomplicated%20Firewall%20%28ufw%29",[222,223,224],"nofollow","noopener","noreferer","_blank","wiki link",[211,228,229],{},"I opened just the ports I wanted and made sure that the default was to deny.",[211,231,232],{},"All seemed fine - until I found that all my docker ports were directly available over the net. I don't want this - these are supposed to be proxied behind https.",[211,234,235],{},"This is due to the fact that docker manipulates iptables itself directly.",[211,237,238],{},"First I found a fair number of sites suggesting to set docker to not use iptables.",[240,241,246],"pre",{"className":242,"code":244,"language":245},[243],"language-text","DOCKER_OPTS=\"--iptables=false\"\n","text",[247,248,244],"code",{"__ignoreMap":249},"",[211,251,252],{},"But - docker uses iptables for things it needs so this breaks other things. For example connection from containers to the internet will fail if this is applied.",[211,254,255],{},"There seem to be two more options.",[211,257,258,259,262],{},"One is simply not to expose the ports when running ",[247,260,261],{},"docker run -p ..."," - but - that would make them unavailable to proxy too.",[211,264,265],{},"The last and simplest workaround is simply to change how you are running to limit which interface they listen to.",[211,267,268],{},"Change e.g.:",[240,270,273],{"className":271,"code":272,"language":245},[243],"docker run -p 8080:8080\n",[247,274,272],{"__ignoreMap":249},[211,276,277],{},"to",[240,279,282],{"className":280,"code":281,"language":245},[243],"docker run -p 127.0.0.1:8080:8080\n",[247,283,281],{"__ignoreMap":249},[211,285,286],{},"And it will only listen on the localhost interface.",[211,288,289],{},"Having done this on all my containers - they are no longer available via the direct port - but can happily live behind my web proxy.",[211,291,292],{},"Links used while digging into this:",[294,295,296,304,311],"ul",{},[297,298,299],"li",{},[218,300,303],{"href":301,"rel":302,"target":225},"https:\u002F\u002Fwww.techrepublic.com\u002Farticle\u002Fhow-to-fix-the-docker-and-ufw-security-flaw\u002F",[222,223,224],"techrepublic on iptables false",[297,305,306],{},[218,307,310],{"href":308,"rel":309,"target":225},"https:\u002F\u002Fwww.mkubaczyk.com\u002F2017\u002F09\u002F05\u002Fforce-docker-not-bypass-ufw-rules-ubuntu-16-04\u002F",[222,223,224],"Mateusz Kubaczyk on configuring this in ubuntu - lots of details",[297,312,313],{},[218,314,317],{"href":315,"rel":316,"target":225},"https:\u002F\u002Faskubuntu.com\u002Fa\u002F652572",[222,223,224],"This answer on askubuntu which summarizes the three options",{"title":249,"searchDepth":319,"depth":319,"links":320},2,[],"2018-09-21 08:16 +0200",null,"md",{},true,"\u002F2018\u002F09\u002F21\u002Fufw-with-docker",{"title":206,"description":213},{"loc":326},"2018\u002F09\u002F21\u002Fufw-with-docker",[331,332,333,334],"ufw","docker","iptables","firewall","ugp2kJ30ODn7sUInN2YZES372GKAMyRpMKQ-Ze35hkI",1775293008088]