search

chaifeng / ufw-docker

To fix the Docker and UFW security flaw without disabling iptables
GNU General Public License v3.0
4.37k stars 375 forks source link

Blocked IP addresses still can access docker container (fail2ban) #109

Open LinqLover opened 1 year ago

LinqLover commented 1 year ago

Thank you for this useful repo!

I followed the instructions to install the tool and forwarded a single docker container to the outside:

$ sudo ufw-docker status
[10] 172.18.0.2 5432/tcp        ALLOW FWD   Anywhere                   # allow my_postgres_db 5432/tcp my_postgres_db_network

And then banned a single IP (I did this manually, but later fail2ban should do that):

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 5432                       DENY IN     <the banned IP>
...
[ 3] 5432/tcp                   ALLOW IN    Anywhere                  
...
[10] 172.18.0.2 5432/tcp        ALLOW FWD   Anywhere                   # allow my_postgres_db 5432/tcp my_postgres_db_network
...
[12] 5432/tcp (v6)              ALLOW IN    Anywhere (v6)

Unfortunately, I can still access the docker container at this port from the banned IP. Even though accesses to other ports are banned as expected for the same IP. Any ideas what is going wrong here?

(Possibly related to #17)

baumheld commented 8 months ago

I have the same problem

vodasams57 commented 8 months ago

Have a look at the iptables chains which rules are first applied. Seems the ufw rules are applied before the fail2ban rules (named "f2b-...").

In addition ensure that fail2ban prepends the reject rules in the DOCKER-USER chain (or FORWARD chain), so they are applied before the ufw rules.

btw: we are using fail2ban as a container (https://github.com/linuxserver/docker-fail2ban -> https://github.com/linuxserver/fail2ban-confs/blob/master/README.md) and our fail2ban / ufw-docker setup works as expected.

watahani commented 7 months ago

It seems that fail2ban should deny fowording as well for blocking packet to docker container . the following conf works for me

/etc/fail2ban/action.d/ufw.conf

# Fail2Ban action configuration file for ufw
#
# You are required to run "ufw enable" before this will have any effect.
#
# The insert position should be appropriate to block the required traffic.
# A number after an allow rule to the application won't be of much use.

[Definition]

actionstart =

actionstop =

actioncheck =

actionban = [ -n "<application>" ] && app="app <application>"
            ufw insert <insertpos> <blocktype> from <ip> to <destination> $app &&
            ufw route insert <insertpos> <blocktype> from <ip> to <destination> $app

actionunban = [ -n "<application>" ] && app="app <application>"
              ufw delete <blocktype> from <ip> to <destination> $app&&
              ufw route delete <blocktype> from <ip> to <destination> $app

[Init]
# Option: insertpos
# Notes.:  The position number in the firewall list to insert the block rule
insertpos = 1

# Option: blocktype
# Notes.: reject or deny
blocktype = deny

# Option: destination
# Notes.: The destination address to block in the ufw rule
destination = any

# Option: application
# Notes.: application from sudo ufw app list
application =

# DEV NOTES:
#
# Author: Guilhem Lettron
# Enhancements: Daniel Black