How to mess up your firewall in three easy steps
The way Docker manipulates
iptables actually bypasses
ufw, which is the default firewall on Ubuntu systems. You can block a port, spin up a container and in a blink of an eye the blocked port will be open again. It will even bypass Any/Any/Deny rules. To make the magic happen just follow the steps below.
Lets see how to reproduce this in detail with the example of a Tomcat container.
- On your host system use
ufwto deny access to a specific port
sudo ufw deny 8080 # Or if you want to block all incoming connections by default, use the command below but make sure you do not lock you out. # sudo ufw default deny incoming
- Check if your rule has been added
sudo ufw status verbose
- Forward a Docker port to the aforementioned port
docker run -it --rm -p 8080:8080 tomcat:8.0
- Try to access Tomcat from another computer. Tadaa! The port is now accessible from the outside although
ufw statuswill show you that it’s not. You will be welcomed by your favorite Tomcat status page.
Discussions about the problem and possible solutions can be found in the sources below. My suggestion after spending a lot of time on this topic: If you are not forced to stick to
ufw, just use iptables directly or another frontend like
firewalld which works with docker like a charm out of the box.