November 28, 2024

Managing Docker Container Firewall Rules with ufw-docker

I recently migrated my server from Digital Ocean to Contabo due to cost savings. While setting up my new server, I experimented with implementing Traefik as my reverse proxy. My goal was to use ufw to restrict all incoming traffic except for port 80, specifically allowing only Cloudflare IPs. However, I encountered an issue where Docker’s port forwarding bypassed the ufw rules, making my firewall configuration ineffective.

The solution to this problem lies in utilizing ufw-docker, a specialized utility designed to help manage ufw firewall rules specifically for Docker containers. For more details, check out the project’s repository at here.

Install ufw-docker

sudo wget -O /usr/local/bin/ufw-docker \
  https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
sudo chmod +x /usr/local/bin/ufw-docker

Enable ufw-docker

sudo ufw-docker install

To restrict access to only Cloudflare IPs, I adapted the cloudflare-ufw-updater script to work with Traefik’s rules and ufw-docker. Here’s the modified part of the script:

#!/bin/sh

# Fetch latest IP range lists (both v4 and v6) from Cloudflare
curl -s https://www.cloudflare.com/ips-v4 -o /tmp/cf_ips
echo "" >> /tmp/cf_ips

# Get docker traefik IP
traefik_ip=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' traefik-reverse-proxy-1)

# Restrict traffic to ports 80 (TCP)
# UFW will skip a subnet if a rule already exists (which it probably does)
for ip in $(cat /tmp/cf_ips); do ufw route allow proto tcp from "$ip" to "$traefik_ip" port 80 comment 'Cloudflare IP range'; done

# Delete downloaded lists from above
rm /tmp/cf_ips

# Need to reload UFW before new rules take effect
ufw reload

To check if ufw is working, you can use the following command:

sudo ufw status

This will display your active firewall rules. Here’s an example output showing allowed traffic from Cloudflare IPs to the Traefik container:

Status: active

To                         Action      From
--                         ------      ----

172.18.0.2 80/tcp          ALLOW FWD   173.245.48.0/20            # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   103.21.244.0/22            # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   103.22.200.0/22            # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   103.31.4.0/22              # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   141.101.64.0/18            # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   108.162.192.0/18           # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   190.93.240.0/20            # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   188.114.96.0/20            # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   197.234.240.0/22           # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   198.41.128.0/17            # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   162.158.0.0/15             # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   104.16.0.0/13              # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   104.24.0.0/14              # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   172.64.0.0/13              # Cloudflare IP range
172.18.0.2 80/tcp          ALLOW FWD   131.0.72.0/22              # Cloudflare IP range