0

Please help clarify why the connection below is allowed.

I've set a Windows Server (IP 192.168.10.10) with Hyper-V running Ubuntu (IP 10.0.0.9). Within Ubuntu I've installed Docker, then some containers: nginx, mysql (3306), phpMyAdmin (9010) and wordpress (9011).

The Ubuntu UFW is status active and allow list is: 22, 80, 443, 9011. Please notice that port 9010 is not listed.

At my desktop (IP 192.168.10.20) I can connect to phpMyAdmin via browser (http://10.0.0.9:9010).

As I understand, this connection to 9010 should not be allowed.

Improve this question

1 Answer 1

Reset to default
0

There are two possible solutions to fix this problem:

One solution is to disable Docker’s iptables feature by adding --iptables=false to the Docker daemon configuration file. However, this will also disable Docker’s ability to manage its own networking and can cause containers to not be able to access the internet at all. You will need to manually maintain iptables rules for Docker containers and custom networks, which can be complicated and tedious

Another solution is to modify UFW’s configuration file at /etc/ufw/after.rules and add a block of rules that will allow UFW to forward traffic to Docker containers and respect the UFW allow list. This solution is more complicated, but it will preserve both UFW’s and Docker’s functionality. You can find the detailed steps and explanation in this Github repo

Improve this answer
2
  • If I understood the issue correctly, it was caused because Docker allowed port 9010 directly at iptables. In this case the mentioned access would be allowed, but caught my attention because it was before I've actually allowed at ufw. That being said, I'm assuming there is no problem by let it be without further changes (--iptables=false nor update /etc/ufw/after.rules). What do you think?
    – rd1218
    Commented Oct 15, 2023 at 20:08
  • You are correct, the issue is caused by Docker manipulating iptables directly and bypassing UFW rules. If you are not concerned about the security implications of exposing port 9010 to the outside world, then you can leave it as it is without further changes. However, if you want to have more control over the ports that are accessible from outside, then I would recommend using one of the solutions that I mentioned in my answer . This way, you can ensure that only the ports that you explicitly allow in UFW are open to external connections
    – NoOne
    Commented Oct 16, 2023 at 4:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .