What is the best practice of docker + ufw under Ubuntu

Question

I just tried out Docker. It is awesome but seems not work nicely with ufw. By default, docker will manipulate the iptables a little bit. The outcome is not a bug but not wha

Answer 1

I spent two hours trying out the proposals above and from other posts. The only solution that worked was from Tsuna's post in this Github thread:

Append the following at the end of /etc/ufw/after.rules (replace eth0 with your external facing interface):

# Put Docker behind UFW
*filter
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]

-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i eth0 -j ufw-user-input
-A DOCKER-USER -i eth0 -j DROP
COMMIT

And undo any and all of:

• Remove "iptables": "false" from /etc/docker/daemon.json
• Revert to DEFAULT_FORWARD_POLICY="DROP" in /etc/default/ufw
• Remove any docker related changes to /etc/ufw/before.rules
• Be sure to test that everything comes up fine after a reboot. I still believe Docker's out of the box behavior is dangerous and many more people will continue to unintentionally expose internal services to the outside world due to Docker punching holes in otherwise safe iptables configs.