Hello, I've tried as much as I can think of and I can't figure this one out. This has

Containers still access internet about ufw-docker HOT 1 CLOSED

shoodidagen commented on May 27, 2024

Containers still access internet

from ufw-docker.

Comments (1)

shoodidagen commented on May 27, 2024

Issue was down to incorrect subnets being used when editing /etc/ufw/after.rules

The auto installer makes assumptions to the subnets being used.

Please could this be added to the main Read Me to prevent others from falling for the same trap.

Using the following command to show all subnets in CIDR

ip -o -4 route show | awk '{print $1}' | grep -oP '\b\d+\.\d+\.\d+\.\d+\/\d+\b'

Example:

then updating the /etc/ufw/after.rules with the returning subnets, NOT the default ones shown in the example.

Example of what to add to after.rules using the above subnets as examples;

# BEGIN UFW AND DOCKER

*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/24
-A DOCKER-USER -j RETURN -s 172.17.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/24
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.17.0.0/16

-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/24
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.17.0.0/16

-A DOCKER-USER -j RETURN
-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

COMMIT
# END UFW AND DOCKER