chaifeng / ufw-docker

To fix the Docker and UFW security flaw without disabling iptables
GNU General Public License v3.0
4.51k stars 382 forks source link

Ufw changes don't make any effect #83

Open Richacinas opened 2 years ago

Richacinas commented 2 years ago

Hi there,

I have followed your instructions, but I can't manage to make UFW take any effect on the ports.

Here you can see my docker-compose.yml file content:

version: '3.6'

services:
  typesense:
    container_name: typesense
    image: 'typesense/typesense:0.22.1'
    entrypoint: sh -c "/opt/typesense-server --data-dir /data --api-key=${TYPESENSE_API_KEY:-86c5153b35cf} --enable-cors --ssl-certificate=/data/letsencrypt/live/${SSL_CERTIFICATE_PATH:-compric.local/local.pem} --ssl-certificate-key=/data/letsencrypt/live/${SSL_CERTIFICATE_KEY_PATH:-compric.local/local.key}"
    ports:
      - '8108:8108'
    volumes:
      - ./typesense-data/:/data
      - ./nginx_data/certs:/data/letsencrypt

  wp:
    build:
      context: .
      target: wordpress
      args:
        xdebug: ${XDEBUG:-false}
    container_name: wp_gatsby
    volumes:
      - ./nginx_data/cache:/var/www/cache
      - ./wordpress:/var/www/html/compric
      - ./php/conf.d/rocketstack-php.ini:/usr/local/etc/php/conf.d/rocketstack-php.ini
      - ./php/pool.d/www2.conf:/usr/local/etc/php-fpm.d/www2.conf
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_NAME: "${DB_NAME}"
      WORDPRESS_DB_USER: root
      WORDPRESS_DB_PASSWORD: "${DB_PASSWORD}"
    depends_on:
      - db
    links:
      - db

  pma:
    image: phpmyadmin/phpmyadmin
    container_name: pma_gatsby
    environment:
      PMA_HOST: db
      PMA_PORT: 3306
      PMA_PMADB: phpmyadmin
    ports:
      - "8081:80"
    links:
      - db:db

  db:
    image: mysql:latest
    container_name: mysql_gatsby
    command: --default-authentication-plugin=mysql_native_password
    ports:
      - "127.0.0.1:3306:3306"
    volumes:
      - ./wp-data:/docker-entrypoint-initdb.d
      - ./db_data:/var/lib/mysql
      - ./mysql/conf/rocketstack.cnf:/etc/mysql/conf.d/rocketstack.cnf
    environment:
      - MYSQL_ROOT_PASSWORD=${DB_ROOT_PASSWORD:-password}
      - MYSQL_USER=${DB_USER:-root}
      - MYSQL_PASSWORD=${DB_PASSWORD:-password}
      - MYSQL_DATABASE=${DB_NAME:-wordpress}
    restart: unless-stopped
  mongodb:
    image: mongo:${MONGO_VERSION-5.0}
    container_name: mongodb
    ports:
      - "27017:27017"
    volumes:
      - ./mongodb_data:/data/db
      - ./mongo-init.sh:/docker-entrypoint-initdb.d/mongo-init.sh
    environment:
      - MONGO_INITDB_ROOT_USERNAME=${MONGO_INITDB_ROOT_USERNAME:-root}
      - MONGO_INITDB_ROOT_PASSWORD=${MONGO_INITDB_ROOT_PASSWORD:-mongo_password}
      - MONGO_INITDB_DATABASE=${MONGO_INITDB_DATABASE:-products}
      - MONGO_INITDB_USER=${MONGO_INITDB_USER:-u_crawlo}
      - MONGO_INITDB_PWD=${MONGO_INITDB_PWD:-u_crawlo_password}
    restart: unless-stopped

  ftp:
    build:
      context: .
      target: ftp
    container_name: ftp_gatsby
    ports:
      - "21:21"
      - "30000-30009:30000-30009"
    environment:
      PUBLICHOST: ${IP}
      FTP_USER_NAME: ${FTP_USER_NAME:-user}
      FTP_USER_PASS: ${FTP_USER_PASS:-password}
      FTP_USER_HOME: /var/www/html/compric
      FTP_USER_UID: 100
      FTP_USER_GID: 101
    volumes:
      - ./wordpress:/var/www/html/compric
      - ./ftp-data:/etc/ssl/privatec
    restart: unless-stopped

  nginx:
    build:
      context: .
      target: nginx
    container_name: ${NGINX_CONTAINER:-nginx}
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - ./nginx/snippets:/etc/nginx/snippets
      - ./nginx/conf/${ENVIRONMENT:-./local}:/etc/nginx/conf.d/
      - ./nginx_data/cache:/var/www/cache
      - ./nginx_data/logs/nginx:/var/log/nginx
      - ./nginx_data/certs:/etc/letsencrypt
      - ./nginx_data/certs-data:/data/letsencrypt
      - ./wordpress:/var/www/html/compric
    depends_on:
      - wp
    restart: unless-stopped

networks:
  default:
    ipam:
      driver: default
      config:
        - subnet: "172.29.0.0/24"

Here is the result of sudo iptables -S:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-docker-logging-deny
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-b5785bd09d34 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b5785bd09d34 -j DOCKER
-A FORWARD -i br-b5785bd09d34 ! -o br-b5785bd09d34 -j ACCEPT
-A FORWARD -i br-b5785bd09d34 -o br-b5785bd09d34 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30009 -j ACCEPT
-A DOCKER -d 172.29.0.3/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 27017 -j ACCEPT
-A DOCKER -d 172.29.0.4/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30008 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30007 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30006 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30005 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30004 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30003 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30002 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30001 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 30000 -j ACCEPT
-A DOCKER -d 172.29.0.2/32 ! -i br-b5785bd09d34 -o br-b5785bd09d34 -p tcp -m tcp --dport 21 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-b5785bd09d34 ! -o br-b5785bd09d34 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-b5785bd09d34 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j ufw-user-forward
-A DOCKER-USER -s 10.0.0.0/8 -j RETURN
-A DOCKER-USER -s 172.16.0.0/12 -j RETURN
-A DOCKER-USER -s 192.168.0.0/16 -j RETURN
-A DOCKER-USER -s 172.29.0.0/24 -j RETURN
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-A DOCKER-USER -d 192.168.0.0/16 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ufw-docker-logging-deny
-A DOCKER-USER -d 10.0.0.0/8 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ufw-docker-logging-deny
-A DOCKER-USER -d 172.16.0.0/12 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ufw-docker-logging-deny
-A DOCKER-USER -d 172.29.0.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ufw-docker-logging-deny
-A DOCKER-USER -d 192.168.0.0/16 -p udp -m udp --dport 0:32767 -j ufw-docker-logging-deny
-A DOCKER-USER -d 10.0.0.0/8 -p udp -m udp --dport 0:32767 -j ufw-docker-logging-deny
-A DOCKER-USER -d 172.16.0.0/12 -p udp -m udp --dport 0:32767 -j ufw-docker-logging-deny
-A DOCKER-USER -d 172.29.0.0/24 -p udp -m udp --dport 0:32767 -j ufw-docker-logging-deny
-A DOCKER-USER -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-forward -s 163.116.174.21/32 -p tcp -m tcp --dport 27017 -j ACCEPT
-A ufw-user-forward -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-forward -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-forward -s 163.116.169.113/32 -p tcp -m tcp --dport 27017 -j ACCEPT
-A ufw-user-forward -s 163.116.169.113/32 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 8081 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 8081 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-input -s 73.249.3.125/32 -p tcp -m tcp --dport 27017 -j ACCEPT
-A ufw-user-input -s 73.249.3.125/32 -p udp -m udp --dport 27017 -j ACCEPT
-A ufw-user-input -s 82.64.254.88/32 -p tcp -m tcp --dport 27017 -j ACCEPT
-A ufw-user-input -s 82.64.254.88/32 -p udp -m udp --dport 27017 -j ACCEPT
-A ufw-user-input -s 163.116.169.113/32 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

And finally, here you can see how my docker services are actually listening properly (sudo netstat -ntlp | grep LISTEN):

tcp        0      0 0.0.0.0:27017           0.0.0.0:*               LISTEN      132322/docker-proxy
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      132355/docker-proxy
tcp        0      0 0.0.0.0:30000           0.0.0.0:*               LISTEN      132727/docker-proxy
tcp        0      0 0.0.0.0:30001           0.0.0.0:*               LISTEN      132689/docker-proxy
tcp        0      0 0.0.0.0:30002           0.0.0.0:*               LISTEN      132660/docker-proxy
tcp        0      0 0.0.0.0:30003           0.0.0.0:*               LISTEN      132627/docker-proxy
tcp        0      0 0.0.0.0:30004           0.0.0.0:*               LISTEN      132604/docker-proxy
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      132765/docker-proxy
tcp        0      0 0.0.0.0:30005           0.0.0.0:*               LISTEN      132569/docker-proxy
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      706/systemd-resolve
tcp        0      0 0.0.0.0:30006           0.0.0.0:*               LISTEN      132542/docker-proxy
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      783/sshd: /usr/sbin
tcp        0      0 0.0.0.0:30007           0.0.0.0:*               LISTEN      132515/docker-proxy
tcp        0      0 0.0.0.0:30008           0.0.0.0:*               LISTEN      132439/docker-proxy
tcp        0      0 0.0.0.0:30009           0.0.0.0:*               LISTEN      132295/docker-proxy
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1997/master
tcp6       0      0 :::27017                :::*                    LISTEN      132328/docker-proxy
tcp6       0      0 :::3306                 :::*                    LISTEN      132368/docker-proxy
tcp6       0      0 :::30000                :::*                    LISTEN      132734/docker-proxy
tcp6       0      0 :::30001                :::*                    LISTEN      132702/docker-proxy
tcp6       0      0 :::30002                :::*                    LISTEN      132666/docker-proxy
tcp6       0      0 :::30003                :::*                    LISTEN      132640/docker-proxy
tcp6       0      0 :::30004                :::*                    LISTEN      132610/docker-proxy
tcp6       0      0 :::21                   :::*                    LISTEN      132776/docker-proxy
tcp6       0      0 :::30005                :::*                    LISTEN      132581/docker-proxy
tcp6       0      0 :::30006                :::*                    LISTEN      132548/docker-proxy
tcp6       0      0 :::22                   :::*                    LISTEN      783/sshd: /usr/sbin
tcp6       0      0 :::30007                :::*                    LISTEN      132522/docker-proxy
tcp6       0      0 :::30008                :::*                    LISTEN      132449/docker-proxy
tcp6       0      0 :::30009                :::*                    LISTEN      132305/docker-proxy
tcp6       0      0 :::25                   :::*                    LISTEN      1997/master

I would like to use UFW so I can make my server more secure, because, as you know, docker is opening to the whole world every port that I map from my containers to the host. Everything looks good but, when I try to connect from my computer (163.116.169.113) to the port 27017, the connection gets blocked.

Do you think there is a problem with my docker network? maybe it should be bridge?

shinebayar-g commented 1 year ago

Have you actually created your ufw rules? Curious because you didn't show any ufw commands.