Securing Docker with UFW: A Complete Guide

BigBearBlog
1

If you’re running Docker containers in production, you’ve probably noticed something peculiar: your carefully crafted UFW (Uncomplicated Firewall) rules don’t seem to affect Docker containers. This isn’t a bug—it’s actually Docker’s default behavior, but it can pose significant security risks. In this guide, we’ll explore why this happens and how to properly secure your Docker containers with UFW.

The Problem: Docker and UFW Don’t Play Nice

By default, Docker bypasses UFW rules by directly manipulating IPtables. This means that when you expose a port in a Docker container, it becomes accessible regardless of your UFW rules. This behavior can inadvertently expose your containers to the internet, even if you think they’re protected by your firewall.

Solutions for Securing Docker with UFW

There are two main approaches to securing Docker with UFW: using ufw-docker or manually configuring Docker’s iptables behavior. Let’s explore both methods.

Method 1: Using ufw-docker

The simplest and most robust solution is to use the ufw-docker script. This approach allows you to keep Docker’s default iptables configuration while still effectively using UFW to manage container access.

To implement this:

  1. Install the ufw-docker script from the GitHub repository:
    # Download the script
sudo wget -O /usr/local/bin/ufw-docker \
  https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker

# Make it executable
sudo chmod +x /usr/local/bin/ufw-docker

# Install the rules
sudo ufw-docker install
  2. Modify the UFW configuration file /etc/ufw/after.rules to include the necessary rules provided by ufw-docker
  3. Restart UFW or reload the rules:
    sudo systemctl restart ufw  # or sudo ufw reload

This method is recommended for most users as it:

  • Maintains Docker’s native networking capabilities
  • Provides simple integration with UFW
  • Requires minimal configuration
  • Is actively maintained by the community

Method 2: Manual Configuration

There are several approaches to solving this problem, but I’ll share another way.

Step 1: Disable Docker’s iptables Management

First, we need to prevent Docker from automatically manipulating iptables rules. Create or modify /etc/docker/daemon.json:

{
    "iptables": false,
    "ip6tables": false
}

After making these changes, restart the Docker daemon:

sudo systemctl restart docker

Step 2: Best Practices for Container Networking

When running containers, always follow these principles:

  1. Use Explicit Port Publishing
    Instead of using -P or exposing ports to all interfaces, explicitly publish ports with -p or --publish:

    # Secure: Bind to localhost
docker run -p 127.0.0.1:8080:80 nginx

# Avoid: Exposing to all interfaces
docker run -p 8080:80 nginx

  2. Bind to Specific Interfaces
    Always bind to specific interfaces (usually localhost) unless external access is required:

    # In docker-compose.yml
services:
  web:
    ports:
      - "127.0.0.1:8080:80"

Step 3: Configure UFW Rules

Now that Docker respects UFW, set up your firewall rules normally:

# Allow SSH access
sudo ufw allow ssh

# Allow specific ports for your applications
sudo ufw allow from 192.168.1.0/24 to any port 8080 proto tcp

# Enable UFW
sudo ufw enable

Benefits of This Approach

  1. Explicit Control: You have clear visibility into which ports are exposed
  2. Security by Default: Services are bound to localhost unless specifically configured otherwise
  3. UFW Integration: Your firewall rules work as expected with Docker
  4. Maintainability: Network configuration is more transparent and easier to audit

Common Pitfalls to Avoid

  1. Don’t Use -P Flag: Avoid automatic port publishing
  2. Don’t Expose All Interfaces: Unless necessary, bind to localhost
  3. Don’t Rely on Container Security: Always treat container networking as part of your overall security strategy
  4. Don’t Forget Internal Networks: Consider security between containers and internal networks

Production Considerations

When running in production, consider these additional steps:

  1. Network Segmentation: Use Docker networks to isolate container groups
  2. Regular Audits: Periodically review exposed ports and running containers
  3. Monitoring: Set up alerts for unauthorized port exposure
  4. Documentation: Maintain clear documentation of your network architecture

Conclusion

Properly configuring Docker to work with UFW is crucial for maintaining a secure container environment. By following these best practices, you can ensure that your containers are only accessible as intended, reducing your attack surface and maintaining proper network security.

Remember: security is a continuous process, not a one-time setup. Regularly review your Docker and UFW configurations to ensure they align with your security requirements and best practices.

Did you find this guide helpful? Let me know below!