Docker 공식문서 방화벽 가이드

iptables 의 DOCKER-USER 체인에 방화벽 규칙을 추가할 것

https://docs.docker.com/network/packet-filtering-firewalls/


UFW 설정방법

https://docs.docker.com/network/packet-filtering-firewalls/ 에는
Docker 와 UFW 가 iptables 를 호환되지 않게 설정한다고 쓰여있다.
Docker and ufw use iptables in ways that make them incompatible with each other.

하지만, DOCKER-USER 체인에 UFW 방화벽 규칙( ufw-user-input )을 추가 하면 방화벽을 설정할 수 있다.


Check NIC

# lshw -short -c net
H/W path      Device  Class    Description
==========================================
/0/100/2/0            network  Virtio network device
/0/100/2/0/0  enp1s0  network  Ethernet interface


Change Systemd

to run firewall before docker service

/lib/systemd/system/ufw.service
beforeafter
Before=network-pre.target
Before=network-pre.target docker.service


Add UFW rule for firewall

/etc/ufw/after.rules
beforeafter
# don't delete the 'COMMIT' ...
COMMIT
# put docker behind ufw
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i enp1s0 -j ufw-user-input
-A DOCKER-USER -i enp1s0 -j DROP

# don't delete the 'COMMIT' ...
COMMIT


Reboot

# ufw enable
# reboot


Check 

# ufw status
Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       111.222.111.0/24

# iptables -L -v -x
Chain INPUT (policy DROP 7 packets, 288 bytes)
    pkts    bytes target                    prot opt in     out     source               destination
     248    27238 ufw-before-logging-input  all  --  any    any     anywhere             anywhere
     248    27238 ufw-before-input          all  --  any    any     anywhere             anywhere
      38     8139 ufw-after-input           all  --  any    any     anywhere             anywhere
      15      896 ufw-after-logging-input   all  --  any    any     anywhere             anywhere
      15      896 ufw-reject-input          all  --  any    any     anywhere             anywhere
      15      896 ufw-track-input           all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
...

Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
...

Chain DOCKER-USER (1 references)
    pkts    bytes target                    prot opt in     out     source               destination
       0        0 ACCEPT                    all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
       0        0 DROP                      all  --  any    any     anywhere             anywhere             ctstate INVALID
       0        0 ufw-user-input            all  --  enp1s0 any     anywhere             anywhere
       0        0 DROP                      all  --  enp1s0 any     anywhere             anywhere
       0        0 RETURN                    all  --  any    any     anywhere             anywhere
...

Chain ufw-user-input (2 references)
    pkts    bytes target                    prot opt in     out     source               destination
       1       64 ACCEPT                    tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
       0        0 ACCEPT                    tcp  --  any    any     111.222.111.0/24     anywhere             tcp dpt:http


Ref

https://velog.io/@cloudjun/우분투-UFW-방화벽-설정하기-Docker-이슈

  • 레이블 없음