Ubuntu has a great firewall called the 'Uncomplicated Firewall' or UFW for short. This is a great option if you want to secure your system.
Docker, by default, will update your iptables and punch holes in your firewall. This guide will show you how to constrain Docker behind UFW, providing consistent system firewall security.
Default UFW settings
sudo ufw allow ssh
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
Configure default forward policy
sudo nano /etc/default/ufw
Edit Line:
DEFAULT_FORWARD_POLICY="ACCEPT"
Reload UFW
sudo ufw reload
Allow docker port (default: 2375)
sudo ufw allow 2375
Enable daemon.json
sudo mkdir -p /lib/systemd/system/docker.service.d
sudo nano /lib/systemd/system/docker.service.d/override.conf
Set Content:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
Setup daemon.json
sudo nano /etc/docker/daemon.json
Set Content:
{
"hosts": ["fd://"],
"dns": ["8.8.8.8", "8.8.4.4"],
"iptables": false
}
Restart Docker
sudo systemctl daemon-reload
sudo systemctl restart docker
Configure NAT
sudo nano /etc/ufw/before.rules
Add lines before "filter"*
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
COMMIT
Reboot system
sudo reboot now
Now ports exposed by docker have to explicitly be enabled in UFW
I also try once to setup my old pentium 4 system box as ubuntu firewall and it did well. I dont aware about the reboot now command. My favorite is telinit
System security is the goal here... I love this stuff quite comprehensive and handy. U have my upvote Mr. Cluttered code.
Thank you!
i love your name and from now onward... i choose you as ma mentor. someone i will like to follow @clutteredcode. Your infos are always on point and resourceful. Thank you for enlightening the mass.
Interesting article
Great post