Komisches Verhalten Docker-Portainer-UFW-UFW Docker

Interessent · Aug 23rd 2024

Hallo zusammen,

ich habe gerade auf einem Webserver (Ubuntu, UFW + UFW Docker, um das Docker und UFW Problem zu lösen) einige Docker Container mit Portainer verteilt und eingerichtet.

Bisher wurden in der Firewall mit Hilfe von UFW Docker KEINE Regeln und Freigaben für irgendwelche Container erteilt. Alles zu.

Ein Test hat jedoch ergeben, dass alle Container und IP:externer Port erreichbar sind.

Ich habe mal mit iptables -L nachgeschaut und in der Chain DOCKER finden sich tatsächlich zu allen Containern Einträge, die den Zugriff auf die jeweiligen Ports zulassen.

Wie kann das denn sein? Ich nutze doch UFW Docker um gerade das zu verhindern.

Hab den Server jetzt erstmal wieder offline genommen, bis ich eine Lösung gefunden habe.

Kann hier jemand helfen?

Danke & Grüße

Virinum · Aug 24th 2024

https://github.com/chaifeng/ufw-docker

Interessent · Aug 24th 2024

Quote from Virinum

https://github.com/chaifeng/ufw-docker

Hab ich installiert, ja

Virinum · Aug 24th 2024

Quote from Interessent

Hab ich installiert, ja

Hatte ich überlesen, sorry. War gestern doch zu spät.

Weitere Workarounds wären noch auf localhost zu binden (ist aber auch nicht absolut sicher, finde den Post aber leider gerade nicht dazu) oder den Network-Type host zu wählen.

Natürlich könnte man auch noch einen weiteren Server als Firewall davor setzen.

Aber schöner wäre es natürlich, wenn man keine Workarounds nutzen müsste und es einfach funktionieren würde wie gedacht. Hab da aber leider gerade spontan keine weiteren Ideen.

Interessent · Aug 24th 2024

Das interessantes ist, ich hatte das Setting schon mal auf nem anderen Server. Allerdings ohne Portainer. Da hat es funktioniert.

Vll hat ja noch jemand Tipps.

frank_m · Aug 24th 2024

Um das beurteilen zu können, müsste man sich ansehen, welche Regeln du exakt in ufw und ufw-docker anwendest. Welchen der Wege hast du denn konfiguriert? Input oder Forward?

Casstg · Aug 24th 2024

I run docker / portainer / ufw on all my setups and do not face this issue.

However, I use UFW on the root server and not in docker. I make the amendments listed in the github listed above (changing the IP's to match my custom docker network i.e 172.20.0.0/12 and then use forward rules to point to my proxy docker container (either Swag or NPM). However that works for my setup and not knowing how you have yours setup, wethere you have a proxy container etc it is hard to pin point the issue. As i am using a proxy i do not have to publish any ports publically for the containers so that also assists.

My Setup

Debian 12 with UFW and Crowdsec installed
UFW ammended with the changes listed in Github Link
Custom Docker Network so all containers can talk to each other without issue (also assigndocker network Static IP's to each container)
NPM/SWAG as Proxy managing traffic to the correct containers
Apart from the proxy container no other containers have ports published
UFW Forward rules for Port 80/443 are sent to the Proxy container static ip only following the github guide

That results in 2 forward rules for TCP traffic and then i have a SSH rule obviously as normal.

I occasionally have published ports for portainer as i forget to remove it after initial setup however, NMAP scan only ever shows the 3 ports as being open as expected.

Interessent · Aug 24th 2024

So hier noch mal eine Zusammenfassung mit mehr Infos:

- ufw läuft standallone, direkt auf dem Server, nicht in Docker

- Der Netzwerktyp aller Container (bis auf einem Wireguard Container) ist NICHT Host

- aktuell sind die Container noch in unterschiedlichen Netzen, die meisten davon werden dann final in einem Netz mit dem NPM sein und hinter diesem verschwinden, d.h. noch noch der NPM Container wird auf 80,443 TCP erreichbar sein.

- Aktuell nur diese Firewall Regeln vorhanden:

Code

     To                         Action      From
     --                         ------      ----
[ 1] *SSHPORT*/tcp              LIMIT IN    Anywhere
[ 2] *SSHPORT*                  LIMIT IN    Anywhere
[ 3] 172.18.0.2 51820/udp       ALLOW FWD   Anywhere                   # allow wireguard 51820/udp wireguard-server_default
[ 4] 172.17.0.3 9001/tcp        ALLOW FWD   Anywhere                   # allow portainer_agent 9001/tcp bridge
[ 5] *SSHPORT*/tcp (v6)         LIMIT IN    Anywhere (v6)
[ 6] *SSHPORT* (v6)             LIMIT IN    Anywhere (v6)

Normalerweise gebe ich dann die Docker COntainer so in UFW frei:

ufw-docker allow containername *PORT*/tcp

Auf dem alten Server ging es. Evtl. hat das Update auf 22.0.4 von 20.0.4 was zerschossen? Hab UFW Docker aber bereits neu installiert. Keine Änderung.

So schaut meine /etc/ufw/after.rules aus:

Code

#
# rules.input-after
#
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-after-input
#   ufw-after-output
#   ufw-after-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
# End required lines

# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input

# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

COMMIT
# END UFW AND DOCKER

Display More

Sollte eigentlich passen...

So schaut die DOCKER CHAIN mit iptables -L aus (alle Regeln hatte ich gestern gelöscht, jetzt nach hochfahren des Servers, alles wieder da):

Code

Chain DOCKER (13 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:9001
ACCEPT     tcp  --  anywhere             192.168.0.2          tcp dpt:https
ACCEPT     tcp  --  anywhere             172.21.0.2           tcp dpt:8000
ACCEPT     tcp  --  anywhere             172.29.0.2           tcp dpt:9443
ACCEPT     tcp  --  anywhere             172.24.0.2           tcp dpt:3001
ACCEPT     tcp  --  anywhere             syn-172-100-000-009.res.spectrum.com  tcp dpt:http
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             192.168.0.2          tcp dpt:http
ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:51820
ACCEPT     udp  --  anywhere             172.29.0.2           udp dpt:openvpn
ACCEPT     tcp  --  anywhere             syn-172-100-000-006.res.spectrum.com  tcp dpt:22300
ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             172.29.0.2           tcp dpt:943
ACCEPT     tcp  --  anywhere             syn-172-100-000-008.res.spectrum.com  tcp dpt:5216
ACCEPT     tcp  --  anywhere             syn-172-100-000-007.res.spectrum.com  tcp dpt:postgresql

Display More

Vll. kann ja jemand damit was anfangen.

Interessent · Aug 25th 2024

Vll. hängt es auch mit der Docker Version zusammen? Damals noch unter 20.0.4, hab ich es so installiert:

Code

sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common


curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -


sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"


sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io

frank_m · Aug 25th 2024

Quote from Interessent

- Der Netzwerktyp aller Container (bis auf einem Wireguard Container) ist NICHT Host

Alle Regeln, die du ins zeigst, betreffen die INPUT Kette. Aber in dem Fall ist die FORWARD Chain entscheidend, vor allem auch die Pre-Routing und Post-Routing Regeln. Dort wird festgelegt, welche Pakete von außen auf deine Container gelassen werden. Also auch wenn du sie hier nicht freigegeben hast, können darüber Pakete an deine Container gelangen.

Du musst schon das gesamte Regelwerk betrachten.

Interessent · Aug 25th 2024

ok hier mal alle Regeln, vll. seht ihr ja einen Fehler:

Code

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    f2b-portscan-block  tcp  --  anywhere             anywhere
2    DROP       all  --  anywhere             anywhere             match-set blacklist src
3    ufw-before-logging-input  all  --  anywhere             anywhere
4    ufw-before-input  all  --  anywhere             anywhere
5    ufw-after-input  all  --  anywhere             anywhere
6    ufw-after-logging-input  all  --  anywhere             anywhere
7    ufw-reject-input  all  --  anywhere             anywhere
8    ufw-track-input  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DOCKER-USER  all  --  anywhere             anywhere
2    DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4    DOCKER     all  --  anywhere             anywhere
5    ACCEPT     all  --  anywhere             anywhere
6    ACCEPT     all  --  anywhere             anywhere
7    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
8    DOCKER     all  --  anywhere             anywhere
9    ACCEPT     all  --  anywhere             anywhere
10   ACCEPT     all  --  anywhere             anywhere
11   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
12   DOCKER     all  --  anywhere             anywhere
13   ACCEPT     all  --  anywhere             anywhere
14   ACCEPT     all  --  anywhere             anywhere
15   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
16   DOCKER     all  --  anywhere             anywhere
17   ACCEPT     all  --  anywhere             anywhere
18   ACCEPT     all  --  anywhere             anywhere
19   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
20   DOCKER     all  --  anywhere             anywhere
21   ACCEPT     all  --  anywhere             anywhere
22   ACCEPT     all  --  anywhere             anywhere
23   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
24   DOCKER     all  --  anywhere             anywhere
25   ACCEPT     all  --  anywhere             anywhere
26   ACCEPT     all  --  anywhere             anywhere
27   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
28   DOCKER     all  --  anywhere             anywhere
29   ACCEPT     all  --  anywhere             anywhere
30   ACCEPT     all  --  anywhere             anywhere
31   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
32   DOCKER     all  --  anywhere             anywhere
33   ACCEPT     all  --  anywhere             anywhere
34   ACCEPT     all  --  anywhere             anywhere
35   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
36   DOCKER     all  --  anywhere             anywhere
37   ACCEPT     all  --  anywhere             anywhere
38   ACCEPT     all  --  anywhere             anywhere
39   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
40   DOCKER     all  --  anywhere             anywhere
41   ACCEPT     all  --  anywhere             anywhere
42   ACCEPT     all  --  anywhere             anywhere
43   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
44   DOCKER     all  --  anywhere             anywhere
45   ACCEPT     all  --  anywhere             anywhere
46   ACCEPT     all  --  anywhere             anywhere
47   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
48   DOCKER     all  --  anywhere             anywhere
49   ACCEPT     all  --  anywhere             anywhere
50   ACCEPT     all  --  anywhere             anywhere
51   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
52   DOCKER     all  --  anywhere             anywhere
53   ACCEPT     all  --  anywhere             anywhere
54   ACCEPT     all  --  anywhere             anywhere
55   ufw-before-logging-forward  all  --  anywhere             anywhere
56   ufw-before-forward  all  --  anywhere             anywhere
57   ufw-after-forward  all  --  anywhere             anywhere
58   ufw-after-logging-forward  all  --  anywhere             anywhere
59   ufw-reject-forward  all  --  anywhere             anywhere
60   ufw-track-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ufw-before-logging-output  all  --  anywhere             anywhere
2    ufw-before-output  all  --  anywhere             anywhere
3    ufw-after-output  all  --  anywhere             anywhere
4    ufw-after-logging-output  all  --  anywhere             anywhere
5    ufw-reject-output  all  --  anywhere             anywhere
6    ufw-track-output  all  --  anywhere             anywhere

Chain DOCKER (13 references)
num  target     prot opt source               destination
1    ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:51820
2    ACCEPT     tcp  --  anywhere             172.21.0.2           tcp dpt:8000
3    ACCEPT     tcp  --  anywhere             syn-172-100-000-009.res.spectrum.com  tcp dpt:http
4    ACCEPT     tcp  --  anywhere             syn-172-100-000-008.res.spectrum.com  tcp dpt:5216
5    ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http-alt
6    ACCEPT     tcp  --  anywhere             192.168.0.2          tcp dpt:http
7    ACCEPT     tcp  --  anywhere             172.24.0.2           tcp dpt:3001
8    ACCEPT     tcp  --  anywhere             172.29.0.2           tcp dpt:943
9    ACCEPT     udp  --  anywhere             172.29.0.2           udp dpt:openvpn
10   ACCEPT     tcp  --  anywhere             192.168.0.2          tcp dpt:https
11   ACCEPT     tcp  --  anywhere             syn-172-100-000-006.res.spectrum.com  tcp dpt:22300
12   ACCEPT     tcp  --  anywhere             syn-172-100-000-007.res.spectrum.com  tcp dpt:postgresql
13   ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:9001
14   ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:http-alt
15   ACCEPT     tcp  --  anywhere             172.29.0.2           tcp dpt:9443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num  target     prot opt source               destination
1    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
2    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
3    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
4    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
5    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
6    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
7    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
8    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
9    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
10   DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
11   DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
12   DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
13   DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
14   RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (13 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere
2    DROP       all  --  anywhere             anywhere
3    DROP       all  --  anywhere             anywhere
4    DROP       all  --  anywhere             anywhere
5    DROP       all  --  anywhere             anywhere
6    DROP       all  --  anywhere             anywhere
7    DROP       all  --  anywhere             anywhere
8    DROP       all  --  anywhere             anywhere
9    DROP       all  --  anywhere             anywhere
10   DROP       all  --  anywhere             anywhere
11   DROP       all  --  anywhere             anywhere
12   DROP       all  --  anywhere             anywhere
13   DROP       all  --  anywhere             anywhere
14   RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
num  target     prot opt source               destination
1    ufw-user-forward  all  --  anywhere             anywhere
2    RETURN     all  --  10.0.0.0/8           anywhere
3    RETURN     all  --  172.16.0.0/12        anywhere
4    RETURN     all  --  192.168.0.0/16       anywhere
5    RETURN     udp  --  anywhere             anywhere             udp spt:domain dpts:1024:65535
6    ufw-docker-logging-deny  tcp  --  anywhere             192.168.0.0/16       tcp flags:FIN,SYN,RST,ACK/SYN
7    ufw-docker-logging-deny  tcp  --  anywhere             10.0.0.0/8           tcp flags:FIN,SYN,RST,ACK/SYN
8    ufw-docker-logging-deny  tcp  --  anywhere             172.16.0.0/12        tcp flags:FIN,SYN,RST,ACK/SYN
9    ufw-docker-logging-deny  udp  --  anywhere             192.168.0.0/16       udp dpts:0:32767
10   ufw-docker-logging-deny  udp  --  anywhere             10.0.0.0/8           udp dpts:0:32767
11   ufw-docker-logging-deny  udp  --  anywhere             172.16.0.0/12        udp dpts:0:32767
12   RETURN     all  --  anywhere             anywhere

Display More

Interessent · Aug 25th 2024

und Teil 2:

Code

Chain f2b-portscan-block (1 references)
num  target     prot opt source               destination
1    REJECT     all  --  79.110.62.65         anywhere             reject-with icmp-port-unreachable
2    REJECT     all  --  security.criminalip.com  anywhere             reject-with icmp-port-unreachable
3    RETURN     all  --  anywhere             anywhere

Chain ufw-after-forward (1 references)
num  target     prot opt source               destination

Chain ufw-after-input (1 references)
num  target     prot opt source               destination
1    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
2    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
3    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
4    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
5    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
6    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
7    ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
num  target     prot opt source               destination

Chain ufw-after-output (1 references)
num  target     prot opt source               destination

Chain ufw-before-forward (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
3    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
4    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
5    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
6    ufw-user-forward  all  --  anywhere             anywhere

Chain ufw-before-input (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
3    ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
4    DROP       all  --  anywhere             anywhere             ctstate INVALID
5    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
6    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
7    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
8    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
9    ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
10   ufw-not-local  all  --  anywhere             anywhere
11   ACCEPT     udp  --  anywhere             mdns.mcast.net       udp dpt:mdns
12   ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
13   ufw-user-input  all  --  anywhere             anywhere

Chain ufw-before-logging-forward (1 references)
num  target     prot opt source               destination

Chain ufw-before-logging-input (1 references)
num  target     prot opt source               destination

Chain ufw-before-logging-output (1 references)
num  target     prot opt source               destination

Chain ufw-before-output (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
3    ufw-user-output  all  --  anywhere             anywhere

Chain ufw-docker-logging-deny (6 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW DOCKER BLOCK] "
2    DROP       all  --  anywhere             anywhere

Chain ufw-logging-allow (0 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
2    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
2    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
3    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
4    ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
5    DROP       all  --  anywhere             anywhere

Chain ufw-reject-forward (1 references)
num  target     prot opt source               destination

Chain ufw-reject-input (1 references)
num  target     prot opt source               destination

Chain ufw-reject-output (1 references)
num  target     prot opt source               destination

Chain ufw-skip-to-policy-forward (0 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-input (7 references)
num  target     prot opt source               destination
1    DROP       all  --  anywhere             anywhere

Chain ufw-skip-to-policy-output (0 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere

Chain ufw-track-forward (1 references)
num  target     prot opt source               destination

Chain ufw-track-input (1 references)
num  target     prot opt source               destination

Chain ufw-track-output (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
2    ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (2 references)
num  target     prot opt source               destination
1    ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:51820
2    ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:9001

Chain ufw-user-input (1 references)
num  target     prot opt source               destination
1               tcp  --  anywhere             anywhere             tcp dpt:*SSHPORT* ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
2    ufw-user-limit  tcp  --  anywhere             anywhere             tcp dpt:*SSHPORT* ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
3    ufw-user-limit-accept  tcp  --  anywhere             anywhere             tcp dpt:*SSHPORT*
4               tcp  --  anywhere             anywhere             tcp dpt:*SSHPORT* ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
5    ufw-user-limit  tcp  --  anywhere             anywhere             tcp dpt:*SSHPORT* ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
6    ufw-user-limit-accept  tcp  --  anywhere             anywhere             tcp dpt:*SSHPORT*
7               udp  --  anywhere             anywhere             udp dpt:*SSHPORT* ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
8    ufw-user-limit  udp  --  anywhere             anywhere             udp dpt:*SSHPORT* ctstate NEW recent: UPDATE seconds: 30 hit_count: 6 name: DEFAULT side: source mask: 255.255.255.255
9    ufw-user-limit-accept  udp  --  anywhere             anywhere             udp dpt:*SSHPORT*

Chain ufw-user-limit (3 references)
num  target     prot opt source               destination
1    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
2    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (3 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
num  target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
num  target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
num  target     prot opt source               destination

Chain ufw-user-output (1 references)
num  target     prot opt source               destination

Display More

frank_m · Aug 26th 2024

Das ist immer noch nur ein Bruchteil der erforderlichen Regeln. Die NAT, Pre- und Post-Routing Regeln fehlen noch.

Interessent · Aug 26th 2024

Mehr wird mir mit iptables -L nicht angezeigt.

Wie finde ich den benötigten Rest?

frank_m · Aug 26th 2024

Indem du mit "-t" die entsprechenden Tabellen angibst, z.B. "raw", "nat", "mangle", "security".

Generell empfehle ich, dich intensiv mit iptables bzw. nftables zu befassen. ufw ist nur ein Frontend, die eigentliche Filterung findet woanders statt.

Interessent · Aug 26th 2024

Suche ich raus,kann aber heute Abend werden, evtl. früher

Casstg · Aug 26th 2024

Hiya

You appear to have copied the github contents verbatim and have not amended them, not sure if it makes a difference but i always ammend my to also include my custom docker networks

From your quote you have:

Code

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

Display More

And especially these lines:

Code

-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

Now i could be wrong however anything out side of those docker networks will still bypass UFW.

Looking at your firewall rules

Code

[ 3] 172.18.0.2 51820/udp       ALLOW FWD   Anywhere                   # allow wireguard 51820/udp wireguard-server_default
[ 4] 172.17.0.3 9001/tcp        ALLOW FWD   Anywhere                   # allow portainer_agent 9001/tcp bridge

You have containers on a 172.18 and 172.17 network, these are not declared in the docker UFW rules

I never use the default network of 172.16 however i do leave that rule in, but i change the other example 192.168 to match my docker network as thats just an example.

Change the line

Code

-A DOCKER-USER -j RETURN -s 192.168.0.0/16

to

Code

-A DOCKER-USER -j RETURN -s 172.18.0.0/12

And do the same for :

Code

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16

to

Code

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.18.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.18.0.0/12

Then duplicate each line for each network you have running on docker i.e your other 172.17.0.0/12

And try that

So it should look like this:

Code

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 172.17.0.0/12
-A DOCKER-USER -j RETURN -s 172.18.0.0/12

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.17.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.18.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.17.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.18.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

COMMIT
# END UFW AND DOCKER

Display More

It may not make a difference but its how i have mine setup on Debian 12 and none of my containers are visible but i also have them on one network behind a proxy

Interessent · Aug 26th 2024

Casstg

Thanks for your input. Makes sense, try that later today.

I maybe wrong but there was no instruction on the GitHub page to modify these entries.

Casstg · Aug 26th 2024

Quote from Interessent

Casstg

Thanks for your input. Makes sense, try that later today.

I maybe wrong but there was no instruction on the GitHub page to modify these entries.

I agree it does not mention anything about modifying , but i noted his use of 192.168 being a home network default so i just amended it as that line is pointless on most cloud setups, so i always changed it to my custom docker network, may make no difference but worth a try

Interessent · Aug 26th 2024

will do... this evening