Skip to content

Instantly share code, notes, and snippets.

@codeopensrc

codeopensrc/gist:98c080388d1f8b892d381b8eea25b2e6

Last active February 22, 2017 00:00
Show Gist options
  • Save codeopensrc/98c080388d1f8b892d381b8eea25b2e6 to your computer and use it in GitHub Desktop.
Save codeopensrc/98c080388d1f8b892d381b8eea25b2e6 to your computer and use it in GitHub Desktop.
Download ZIP
Docker + UFW + Older Linux OS
Raw
gistfile1.MD

NOTE:

This solution works however, your containers can no longer connect to the outside world. Currently searching for a solution where I can whitelist ips to specific ports on an external server while blocking all other external ips.

Example: 2-4 web apps accessable to the internet, 1 mongo container. I would like to connect to the mongo container from my ip and from the containers, but disallow anyone else to connect to the mongo container

Currently its possible, but all containers lose ability to ping/connect outside the container with --iptables=false Otherwise all containers are exposed.

Only other solution off the top of my head is some kinda of proxy in front of the server that drops all connections to specific ports except for whitelisted IPs.

A few links that helpped initially

How I found out Docker was overwriting/ignoring UFW rules:
http://askubuntu.com/questions/416907/ufw-not-blocking-connections-to-docker-instance#742668

How I sought to solve it:
http://www.acervera.com/blog/2016/03/05/ufw_plus_docker

Works for sysvinit/upstart systems, but NOT mine jessie/8.6

More clarification as to how I could solve the problem
https://fralef.me/docker-and-iptables.html

Getting it into more laymans terms (do filenames matter, edit directly/override it?)
http://stackoverflow.com/questions/27763340/docker-opts-do-not-work-in-config-file-etc-default-docker#31385025

If you know about systemd (I dont) docker does note configuring with systemd here, but it didnt make much sense at first
https://docs.docker.com/engine/admin/systemd/

Final solution being this:

Set DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw
Set DOCKER_OPTS="--iptables=false" in /etc/default/docker
Create a directory /etc/systemd/system/docker.server.d and file docker.conf inside that new directory (name doesnt matter)
Enter the below text into the docker.conf file:

[Service]  
EnvironmentFile=/etc/default/docker  
ExecStart=  
ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS

Run sudo ufw reload
Run sudo systemctl daemon-reload
Run sudo systemctl restart docker

Your UFW/iptable rules should be working again.

Be sure to test!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment