fixing docker issue with open ports and firewalls, with ufw instead of iptables
If you have ever dealt with Docker and opening ports at the host level1, you might have (hopefully) realized that firewalls do not filter these ports used by Docker. Consequentially, if you use neat solutions such as Fail2Ban in the host to ban somebody abusing one of your docker containers, the ban kicks in but is effectively void.
This issue is well known, and it happens because Docker sets up its own iptables rules to achieve network isolation and port forwarding. These rules interfere with the usual ways we use our firewalls. Now, if you are an iptables guru, you know how to setup your own filtering so that it is compatible with the
DOCKER-USER chain. If you, like me, see iptables like black magic and prefer a human readable firewall like ufw, you’re hit by the same issue. The ufw is just a frontend for iptables.
I discovered two neat tricks this week. The first one: you can use ufw as a banaction for fail2ban instead of iptables directly.
This is how I set it up globally in
/etc/fail2ban/jail.local so that I do not have to specify it for all jails.
# cat /etc/fail2ban/jail.local | grep banaction banaction = ufw banaction_allports = ufw
So that when fail2ban issues some bans:
# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 3 | |- Total failed: 1641 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 2 |- Total banned: 33 `- Banned IP list: 220.127.116.11 18.104.22.168
The ban is handled by ufw and you can see it pretty easily:
# ufw status Status: active To Action From -- ------ ---- Anywhere REJECT 22.214.171.124 Anywhere REJECT 126.96.36.199 [...]
How to have ufw actually ban bad actors with Docker containers? This post by p1ngouin shows the solution. It is a pretty easy one, and they even offer an Ansible solution to automatize its deployment. Just remember to use your network interface name instead of
For example, a containerized SMPT server using the host ports 25, 465, and 587. ↩
I do not use a commenting system anymore, but I would be glad to read your feedback. Feel free to contact me.