Securing Docker: How to Fix IP Tables to Ensure UFW Blocks Unwanted Port Exposures

Introduction:

Docker, a widely adopted containerization platform in production and development environments, presents certain vulnerabilities that can make your instances susceptible to malicious bot attacks if not properly secured. One of the critical concerns is Docker’s interaction with UFW (Uncomplicated Firewall) and the way iptables are prioritized. In this guide, we will delve into this issue and provide steps to mitigate the risks effectively by installing and configuring ufw-docker.

The Problem:

When you enable UFW on a server that offers external services, it defaults to blocking all incoming connections, except for explicitly allowed ones. However, Docker bypasses these UFW rules and allows external access to published ports. This means that even if you use the command “ufw deny 8080” to restrict external access to port 8080, Docker will still expose it to the public network.

The Consequences:

Consequently, your Docker services become vulnerable to potential bot attacks, as malicious actors can effortlessly identify and exploit these open ports. If your Docker instances have generic passwords or lack proper database protection, they become easy targets for unauthorized access, data breaches, and various other security threats.

The Solution:

To address this issue and bolster the security of your Docker instances, it is crucial to install and configure ufw-docker. Follow the steps outlined below to effectively mitigate these risks:

Please note that this guide assumes you are using Ubuntu and UFW as your firewall management tool. Adjustments might be necessary if you are using a different operating system or firewall solution.

Step 1: Install ufw-docker
To begin, follow these commands to install ufw-docker:

sudo wget -O /usr/local/bin/ufw-docker \ 
https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker 
sudo chmod +x /usr/local/bin/ufw-docker

Step 2: Configure Docker with ufw-docker
Once ufw-docker is installed, you need to configure Docker to work with UFW using the following command:

sudo ufw-docker install

Step 3: Check the status of ufw-docker
To verify that ufw-docker is installed correctly and functioning properly, use the following command:

sudo ufw-docker check

Step 4: Identify the Docker instance name
To manage the firewall rules for a specific Docker instance, you need to know its name. Run the following command to list the running Docker instances:

docker ps

Note down the name of the Docker instance you want to protect.

Step 5: Configure firewall rules for the Docker instance
Now, let’s set up the firewall rules for the Docker instance. Assuming you want to expose port 80 for a Docker instance called “dashboard,” use the following command:

sudo ufw-docker service allow dashboard 80/tcp

This command allows incoming traffic on port 80 to reach the Docker instance named “dashboard.”

Step 6: Verify and manage the firewall rules
To check the status of the firewall rules and ensure they are applied correctly, use the following command:

sudo ufw-docker status

If you need to remove a specific rule, you can delete it using the following command:

sudo ufw-docker delete allow dashboard 80/tcp

Remember to replace “dashboard” with the actual name of the Docker instance you want to modify.

By following these steps, you can protect your Docker instances from unauthorized access by setting up proper firewall rules using ufw-docker. This will help prevent malicious bot attacks targeting generic passwords or unprotected databases.

Debugging Errors from ufw-docker
When encountering errors while using ufw-docker for debugging purposes, follow these steps to resolve them:

1. “ERROR: Docker instance ‘dashboard’ doesn’t exist.”:

This error indicates that the specified instance does not have its own private IP address, making it incompatible with the rule you’re trying to add. To identify instances that can be added with ufw-docker, use the following command:

docker ps -aq | xargs -n 1 docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}} {{.Name}}' | awk '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ {print}'

Example output:

172.18.0.1 /dashboard_loadbalancer

This command lists the IP addresses and names of instances that have valid IP addresses and can be used with ufw-docker

2. “Cannot find the published port 80/tcp of instance ‘dashboard’ or cannot update outdated rule(s).”:

This error occurs when the specified Docker instance does not have the port (e.g., port 80/tcp) exposed directly. If you are not using a network bridge adapter or the network_mode: host setting, there is no exposure issue to address.

To troubleshoot this error, ensure that you have properly exposed the required ports for the Docker instance in question. Modify the container’s configuration or Docker run command to expose the necessary ports, allowing sudo ufw-docker to function correctly.

3. “ERROR: UFW is disabled or you are not a root user, or mismatched iptables legacy/nf_tables” :

This error indicates that the command execution is encountering one of the following issues:

• UFW (Uncomplicated Firewall) is disabled on the system.
• The user executing the command does not have root privileges.
• There is a mismatch between iptables, whether it’s using the legacy or nf_tables backend.

To resolve this issue, you need to address the respective problem. Here’s how:

1. Enable UFW:

• Check if UFW is disabled by running the command sudo ufw status. If it shows as "inactive," you need to enable it.
• Use the command sudo ufw enable to activate UFW and follow any prompts if necessary.

2. Gain Root Privileges:

• If you are not already the root user or have sufficient privileges, you can escalate your privileges using the command sudo su or any other relevant privilege escalation command.
• Provide the necessary password or credentials to authenticate and gain root access.

3. Resolving iptables Mismatch:

• Check if there is a mismatch between iptables legacy and nf_tables by running the command sudo update-alternatives --config iptables.
• You will be presented with a selection of iptables alternatives. Choose the appropriate option based on your requirements and configuration.
• Follow the prompts to make the necessary changes.

By addressing the specific issue mentioned in the error message, you should be able to overcome the problem and proceed with the command execution successfully. Remember to exercise caution and use root privileges responsibly.