[英]ufw seems not to block all ports (Ubuntu with Docker)
There is a server with Ubuntu 20. It has Docker installed, and several containers are running.有一台Ubuntu 20的服务器,安装了Docker,有几个容器在运行。 The
reverseproxy
is a Nginx that should take traffic on 80 and 443, and route it to the containers.反向代理是一个
reverseproxy
,它应该在 80 和 443 上接收流量,并将其路由到容器。 It works perfectly.它工作得很好。 But now I wanted to block all traffic (apart from 80, 443 and ssh) with ufw.
但现在我想用 ufw 阻止所有流量(80、443 和 ssh 除外)。
Somehow traffic on http ports 3000, 3001, 8081, 15672 (ports published by containers) still gets through.不知何故,http 端口 3000、3001、8081、15672(容器发布的端口)上的流量仍然可以通过。
Why?为什么? How to block all traffic using ufw?
如何使用 ufw 阻止所有流量?
ufw configuration ufw配置
www@broowqh:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
9000 ALLOW IN Anywhere
3001 DENY IN Anywhere
3001/tcp DENY IN Anywhere
3001/udp DENY IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
9000 (v6) ALLOW IN Anywhere (v6)
3001 (v6) DENY IN Anywhere (v6)
3001/tcp (v6) DENY IN Anywhere (v6)
3001/udp (v6) DENY IN Anywhere (v6)
docker ps -a docker ps-a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
48709042d67f nginx:1.23-alpine "/docker-entrypoint.…" 10 hours ago Up 10 hours. 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp. reverseproxy
401d6576b3e0 adminer:4.8.1 "entrypoint.sh docke…" 10 hours ago Up 10 hours. 0.0.0.0:8081->8080/tcp, :::8081->8080/tcp adminer
c47966cae717 postgres:14.1-alpine "docker-entrypoint.s…" 10 hours ago Up 10 hours. 5432/tcp db
1c3709a07fb0 www:current "docker-entrypoint.s…" 15 hours ago Up 10 hours. 0.0.0.0:3001->3001/tcp, :::3001->3001/tcp www
db252e2833bc postgrest/postgrest:v10.0.0 "/bin/postgrest" 18 hours ago Up 10 hours. 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp api
68396bebcaa8 rabbitmq:3.9.13-management-alpine "docker-entrypoint.s…" 19 hours ago Up 10 hours. 0.0.0.0:5672->5672/tcp, 0.0.0.0:15672->15672/tcp broker
Nginx configuration Nginx配置
upstream www {
server www:3001;
}
upstream api {
server api:3000;
}
upstream adminer {
server adminer:8080;
}
upstream rabbit {
server broker:15672;
}
server {
listen 80;
listen [::]:80;
server_name example.com
location / {
return 301 https://example.com$request_uri;
}
}
server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/live/smartplaylist.me/example.crt;
ssl_certificate_key /etc/nginx/ssl/live/smartplaylist.me/example.key;
location /adminer/ {
proxy_pass http://adminer/;
}
location /rabbit/ {
proxy_pass http://rabbit/;
}
location /api/ {
proxy_pass http://api/;
}
location / {
proxy_pass http://www/;
}
}
Docker bypass the UFW rules and the published ports can be accessed from outside. Docker 绕过 UFW 规则,可以从外部访问已发布的端口。 You can publish the port onto a specific interface, eg
127.0.0.1:8080:80
which would publish the port 8080 on the host's loopback interface (127.0.0.1) to connect to a container's port 80, and that loopback interface is not externally accessible.您可以将端口发布到特定接口上,例如
127.0.0.1:8080:80
将在主机的环回接口(127.0.0.1)上发布端口 8080 以连接到容器的端口 80,并且该环回接口不可从外部访问.
With UFW you are modifying the INPUT rules, but docker adds it rules in PREROUTING
table, that mean you can't put filter rules at INPUT
chain because it will never match and bypass all.使用 UFW,您正在修改 INPUT 规则,但 docker 在
PREROUTING
表中添加了它的规则,这意味着您不能将过滤规则放在INPUT
链中,因为它永远不会匹配并绕过所有规则。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.