chaifeng / ufw-docker

To fix the Docker and UFW security flaw without disabling iptables
GNU General Public License v3.0
4.52k stars 382 forks source link

Making sure I'm understanding the rules correctly... #77

Open binaryfire opened 2 years ago

binaryfire commented 2 years ago

Hey @chaifeng

Thanks for a great solution! I'm going for a zero-trust network so I want to drop all traffic by default (including from private network addresses). And then add UFW rules for the specific private and public ips I want to allow.

Do I just need to remove the rules ending in192.168.0.0/16 to achieve this?

So this:

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
::ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

COMMIT
# END UFW AND DOCKER

Combined with UFW commands like this:

Is this the right approach? Btw I'm using Docker in Swarm mode

Thanks!

binaryfire commented 2 years ago

@chaifeng Also, I don't need to log dropped requests.

Will ufw logging off also switch off logging for ufw-docker-logging-deny? Or do I need to remove -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " ?

Thanks :)

chaifeng commented 2 years ago

Yes, just remove the three lines of code about 192.168.0.0/16 if you don't trust this network.

chaifeng commented 2 years ago

@chaifeng Also, I don't need to log dropped requests.

Will ufw logging off also switch off logging for ufw-docker-logging-deny? Or do I need to remove -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " ?

Thanks :)

Correct!

binaryfire commented 2 years ago

@chaifeng Thank you!

Just to confirm- are the 10.0.0.0/8 and 172.16.0.0/12 ranges both required for Docker’s internal networking?

chaifeng commented 2 years ago

@chaifeng Thank you!

Just to confirm- are the 10.0.0.0/8 and 172.16.0.0/12 ranges both required for Docker’s internal networking?

depends on your configurations of docker/swarm networks, for example, https://docs.docker.com/network/bridge/#configure-the-default-bridge-network