이 페이지의 이전 버전을 보고 있습니다. 현재 버전 보기.

현재와 비교 페이지 이력 보기

버전 1 다음 »


Check NIC

# lshw -short -c net
H/W path                Device      Class          Description
==============================================================
/0/100/2/0                          network        Virtio network device
/0/100/2/0/0            enp1s0      network        Ethernet interface


Change Systemd

to run firewall before docker service

/lib/systemd/system/ufw.service
beforeafter
Before=network-pre.target
Before=network-pre.target docker.service


Add UFW rule for firewall

/etc/ufw/after.rules
beforeafter
# don't delete the 'COMMIT' ...
COMMIT
# put docker behind ufw
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i enp1s0 -j ufw-user-input
-A DOCKER-USER -i enp1s0 -j DROP

# don't delete the 'COMMIT' ...
COMMIT


Reboot

# ufw enable
# reboot


Check 

# ufw status
Status: active
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       111.222.111.0/24

# iptables -L -v -x
Chain INPUT (policy DROP 7 packets, 288 bytes)
    pkts    bytes target                    prot opt in     out     source               destination
     248    27238 ufw-before-logging-input  all  --  any    any     anywhere             anywhere
     248    27238 ufw-before-input          all  --  any    any     anywhere             anywhere
      38     8139 ufw-after-input           all  --  any    any     anywhere             anywhere
      15      896 ufw-after-logging-input   all  --  any    any     anywhere             anywhere
      15      896 ufw-reject-input          all  --  any    any     anywhere             anywhere
      15      896 ufw-track-input           all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
...

Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
...

Chain DOCKER-USER (1 references)
    pkts    bytes target                    prot opt in     out     source               destination
       0        0 ACCEPT                    all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
       0        0 DROP                      all  --  any    any     anywhere             anywhere             ctstate INVALID
       0        0 ufw-user-input            all  --  enp1s0 any     anywhere             anywhere
       0        0 DROP                      all  --  enp1s0 any     anywhere             anywhere
       0        0 RETURN                    all  --  any    any     anywhere             anywhere
...

Chain ufw-user-input (2 references)
    pkts    bytes target                    prot opt in     out     source               destination
       1       64 ACCEPT                    tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
       0        0 ACCEPT                    tcp  --  any    any     111.222.111.0/24     anywhere             tcp dpt:http


Ref

https://velog.io/@cloudjun/우분투-UFW-방화벽-설정하기-Docker-이슈

  • 레이블 없음