Docker Firewall Setup
Setup a Docker Host's Firewall
Setup Docker Host’s Firewall
- Debian/Ubuntu Server is assumed
- Designed to run on Docker Host Server
Install Requirements
# Ultimate Firewall Neededapt-get update && apt-get install -y ufw nmap curlGet your Internal & External IP Addresses
# Get your IP Addresses, simple output:hostname --all-ip-addresses
# OR use ip tool, example:ip addrFirtewall (UFW) Setup - Example Cmds
ufw logging on # on=low - medium might be better for diagnosticsufw logging medium# First, block all the thingsufw default deny incoming
# REQUIRED: CHOOSE *ONE* OF THE FOLLOWING DEFAULT OUTBOUND RULES:ufw default deny outgoingufw default allow outgoing
# Allow and log all new ssh connections,ufw allow log proto tcp from any to any port 22## Allow http traffic (w/o explicit logging)ufw allow out on docker0 53/udp to 172.17.0.1/16ufw allow out on eth0 to any port 53ufw allow out on eth0 from 0.0.0.0/0 to any port 80 proto tcpufw allow out on eth0 from 0.0.0.0/0 to any port 443 proto tcp
# Verbose: ufw allow proto tcp from any to any port 80ufw allow 80/tcpufw allow 443/tcpufw allow log 22/tcpufw limit ssh # Basic Rate limit 4 SSH brute force mitigation
# Set your ext IPexport EXTERNAL_IP=123.123.123.123# Update docker IP if neededexport DOCKER_IP=172.17.42.1# Forward tcp 8080 traffic to Dockerized Appufw allow proto tcp from $EXTERNAL_IP port 8080 to $DOCKER_IP port 3000Enable / Start Firewall
Be Careful, Don’t Lock out your SSH port (sshd defaults to 22)
ufw --force enable
ufw resetTest Your Firewall
Important: USE A REMOTE IP ADDR/LOCATION
# Verify dependencyapt-get update && apt-get install -y nmap
# Set scan targetexport TARGET_HOST=123.123.123.123
# Example Scan Commands:# Fast open port checknmap -p 1-10240,27017 -T5 $TARGET_HOST# Thorough scannmap -p 1-10240,27017 --open -v -APN $TARGET_HOST# Svc Inspectionnmap -p 1-10240,27017 -O --osscan-guess $TARGET_HOSTDONE! Now you should see ONLY the ports you configured!
