this post was submitted on 23 Oct 2024
17 points (90.5% liked)

Selfhosted

39842 readers
466 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I've recently learned that UFW firewall rules do not affect Docker containers. I am looking into learning firewall rules in depth but in the meantime I want make sure I don't fuck something up, so here are a few questions:

1- On a host that drops all incoming connections (configured through UFW), if I have a container with only a single port mapping 127.0.0.1:8080:80 is there any way to access this container through the public internet, what about 8080:80 or no port mapping at all?

2- How do I drop all incoming connections to all Docker containers and do I need to do that? Similar to ufw default deny incoming?

3- Is there a way to see all incoming/outgoing connections of all containers?

Thanks in advance and any resource advice for securing docker for dummies is appreciated.

you are viewing a single comment's thread
view the rest of the comments
[–] rikudou@lemmings.world 2 points 6 days ago
  1. For all the mentioned cases, if your firewall blocks incoming packets by default, no one can access it, no matter what is the source of the port being open.

  2. You don't configure it on the docker level, at least if you care about outside connections. If you mean from your local computer to a docker container, by default you cannot connect, unless you expose the port to the system. If you mean from other docker containers, just create your own separate network to run the container in and even docker containers cannot access the ports.

  3. I usually use netstat -tulpn, it lists all ports, not only docker, but docker is included. docker ps should also show all exposed ports and their mappings.

In general, all docker containers run on some internal docker network. Either the default or a custom one. The network's ports don't interfere with your own, that's why you can have 20 nginx servers running in a docker container on the same port. When you bind a port in docker, you basically create a bridge from the docker network to your PC's local network. So now anything that can connect to your PC can also connect to the service. And if you allow connection to the port from outside the network, it will work as well. Note that port forwarding on your router must be set up.

So in conclusion, to actually make a service running in docker visible to the public internet, you need to do quite a few steps!

  • bind a port to your local host
  • have your local firewall allow connection to the port
  • have your router set up to forward connections on the port to your machine

On Linux, local firewall is usually disabled by default, but the other two steps require you to actively change the default config. And you mention that all incoming traffic is dropped using UFW, so all three parts should be covered.