search

chaifeng / ufw-docker

To fix the Docker and UFW security flaw without disabling iptables
GNU General Public License v3.0
4.53k stars 382 forks source link

Cannot access service on host from container #53

Open anneb opened 3 years ago

anneb commented 3 years ago

Should the following setup work after installing ufw-docker?:

  1. a database service runs on the host
  2. a docker container on the same host needs access to the database (1)

The host is not on a private subnet, but on a public IP. That is why UFW is essential for this host.

After 'ufw disable', access from the container to the host is possible.

After 'ufw enable' I am getting the following lines in syslog when I try to connect from the container to the database on the host:

[UFW BLOCK] IN=docker0 OUT= PHYSIN=vethc149a32 MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=172.17.0.2 DST=yy.yy.yy.yy LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58585 DF PROTO=TCP SPT=45360 DPT=5432 WINDOW=29200 RES=0x00 SYN URGP=0

yy.yy.yy.yy is the (public) IP of my host

I added the following ufw allow rules, but still cannot connect:

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
Anywhere           ALLOW       172.16.0.0/16
yy.yy.yy.yy           ALLOW       172.16.0.0/16
5432                    ALLOW       172.16.0.0/16

5432                    ALLOW FWD   172.16.0.0/16
yy.yy.yy.yy           ALLOW FWD   172.16.0.0/16

Is it possible to somehow prevent the [UFW BLOCK] (see log) from happening?

Thanks,

jackman815 commented 3 years ago

I got the same issue.

I just removed the following rules temporarily, then everything all right.

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP
Nexus2k commented 2 years ago

It's 172.16.0.0/12 not /16...