UFW not blocking incoming traffic

Rogue asked:

I have a Debian 9 Server running UFW, and i’d like to block all incoming requests except on port 2122 (SSH), and 80/443 (For HTTP(s)).

I ran the following commands :

ufw reset
ufw default deny incoming
ufw default allow outgoing
ufw allow incoming 2122/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

Which compiles to :

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
2122/tcp                   ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere
2122/tcp (v6)              ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)
443/tcp (v6)               ALLOW IN    Anywhere (v6)

Seems like everything is fine, at least to me. But, when i run a docker container, on port 2424 (or, really, any other port), i can still access http://domain.tld:2424, despite the firewall.

I tried rebooting, restarting iptables, … No dice.
Any suggestion ? Thanks a lot !

My answer:


Docker opens ports in the firewall itself, for any ports that are EXPOSEd by the running containers. These do not show up in ufw output, but can be viewed in iptables.

You should:

  • Ensure that only ports that need to be accessible to the Internet are EXPOSEd.
  • Use docker-compose to orchestrate the creation and running of multiple related containers. They can talk to each other without having to expose ports.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.