I have a development server with this UFW config:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp LIMIT Anywhere
22/tcp (v6) LIMIT Anywhere (v6)
123/udp ALLOW OUT Anywhere
DNS ALLOW OUT Anywhere
80/tcp ALLOW OUT Anywhere
443/tcp ALLOW OUT Anywhere
22/tcp ALLOW OUT Anywhere
123/udp (v6) ALLOW OUT Anywhere (v6)
DNS (v6) ALLOW OUT Anywhere (v6)
80/tcp (v6) ALLOW OUT Anywhere (v6)
443/tcp (v6) ALLOW OUT Anywhere (v6)
22/tcp (v6) ALLOW OUT Anywhere (v6)
My problem is that this also blocks traffic internally from Docker.
I run a Docker container that maps 8000:8000 for http, and if I disable UFW I can make requests as expected. However, when UFW is enabled, I can't reach port 8000 even internally.
How do I allow this traffic for internal use? I want to access via ssh -L 8000:127.0.0.1:8000 example.com, so I don't want to open port 8000 for external access.
UPDATE:
Thinking that the problem might be that UFW also applies the rules to the loop-back interface I updated my rule with these new rules:
To Action From
-- ------ ----
Anywhere on lo ALLOW Anywhere
Anywhere on 127.0.0.1 ALLOW Anywhere
Anywhere (v6) on lo ALLOW Anywhere (v6)
Anywhere (v6) on 127.0.0.1 ALLOW Anywhere (v6)
Anywhere ALLOW OUT Anywhere on lo
Anywhere ALLOW OUT Anywhere on 127.0.0.1
Anywhere (v6) ALLOW OUT Anywhere (v6) on lo
Anywhere (v6) ALLOW OUT Anywhere (v6) on 127.0.0.1
This does not solve the problem.
ufw allow from <some_address> to any app <app_name>
The manpage states not to enter a port number:
You should not specify the protocol with either syntax, and with the extended syntax, use app in place of the port clause.
This probably means it will let <app_name> use whatever port it needs to
Other commands which might be useful:
ufw app info <app_name>
Which lists the information on <app_name>'s profile.
ufw app update <app_name>
Which updates <app_name>'s profile. You can use all to update all application profiles.
You can use the:
ufw app update --add-new <app_name>
command to add a new profile for <app_name> and update it, following the rules you set out with ufw app default <policy>.
App profiles are stored in /etc/ufw/applications.d and sometimes /etc/services.
For more information, to view the man page for ufw
man ufw
Update: Docker uses a private interface called docker0, you can allow access for docker to your host system.
You can use the information on the interface to create a rule, for example,
ufw allow out on docker0 from 172.17.0.0/16
Using the port, you can make this rule more strict by using the following command, for example
ufw allow out on docker0 from 172.17.0.0/16 port 80 proto tcp
Docker creates a new interface for containers and to view this, you can use the ifconfig command:
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:a4:5e:e9:9c txqueuelen 0 (Ethernet)
RX packets 87 bytes 17172 (17.1 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 117 bytes 14956 (14.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
This interface routes traffic through 172.17.xxx.xxx
Related
I have an ubuntu server with a few docker containers running using docker-compose.
I mapped the mysql port as 3306:3306 and the adminer as 8080:8080.
It didn't work, but when I tried mapping 80:8080, adminer was working and can connect to the mysql db.
It seems no other ports allow any connections from outside other than the ssh port, http, and https ports.
I tried using ufw allow ..., but even with the rule clearly present upon checking ufw status, it still doesn't allow me to connect from port 8080.
What command am I supposed to run to make this work?
EDIT: this is how the ufw rules look now after I asked the person who started this server to open up the ports for me. Now, the 8080 and 3306 ports work, but the guy didn't tell me anything about what he did. I'm guessing there was some kind of other firewall only he had access to :/
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
8080/tcp ALLOW Anywhere
3306/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
8080 ALLOW Anywhere
80:61000/tcp ALLOW Anywhere
172.17.0.1 8081/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
8081/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
3306/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
80:61000/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
8081/tcp (v6) ALLOW Anywhere (v6)
8080/tcp ALLOW FWD Anywhere
8080/tcp (v6) ALLOW FWD Anywhere (v6)
On a ubuntu 21.10, using docker as a snap (snap install docker). With my firewall enabled, i have a problem resolving DNS:
$ docker run bash ping www.google.com
==> error
$ docker run bash ping 8.8.8.8
==> ok
If I disable the firewall, all is ok (sudo ufw disable):
$ docker run bash ping www.google.com
==> ok
My ufw status is like:
Status: active
To Action From
-- ------ ---- 22/tcp ALLOW Anywhere OpenSSH
ALLOW Anywhere Samba
ALLOW 192.168.100.0/24 22/tcp (v6)
ALLOW Anywhere (v6) OpenSSH (v6)
ALLOW Anywhere (v6)
I suspect that the docker container has no access to the internet over TCP (and probably UDP).
What would be the correct config to use to allow docker/snap to pass through the firewall?
I followed these instructions here to build a 3 node Docker Swarm cluster.
In the beginning I opened multiple ports with ufw in order to communicate between the docker nodes:
# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
2376/tcp ALLOW IN Anywhere
2377/tcp ALLOW IN Anywhere
7946/tcp ALLOW IN Anywhere
7946/udp ALLOW IN Anywhere
4789/udp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
2376/tcp (v6) ALLOW IN Anywhere (v6)
2377/tcp (v6) ALLOW IN Anywhere (v6)
7946/tcp (v6) ALLOW IN Anywhere (v6)
7946/udp (v6) ALLOW IN Anywhere (v6)
4789/udp (v6) ALLOW IN Anywhere (v6)
As you can see port 80 is not open.
So, at the end of the tutorial I deployed the official nginx docker image to the cluster:
docker service create -p 80:80 --name webserver nginx
I was able to enter the IP address of my server and was presented the nginx hello world page.
Now I am wondering, why am I able to reach the webserver although port 80 is not open?
Docker sets iptables rules itself, interfering with UFW.
Try running the docker daemon with the additional command line option --iptables=false.
I am trying to dockerize my application. I have two servers, say server1 and server2. Server1 uses webservice hosted on server2. I have this in my
/etc/default/docker on server1:
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"
As I understand this prevents docker from making any changes to iptables, overriding UFW settings. The UFW status shows this:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
443 ALLOW Anywhere
2375/tcp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
2375/tcp (v6) ALLOW Anywhere (v6)
Now the trouble is I am not able to access server2 from my app which runs
in a container on server1. If I don't use the --iptables=false flag then I can access server2. What can I do to access server2 from the container without having to sacrifice UFW ?
If it matters , both server1 and server2 are on digitalocean and have private networking enabled.
I am new to ubuntu server. I have tried to open port 9090 on server for openfire but wont able to do so. I have installed ufw on our server.
what I did till now.
nmap localhost -p 9090
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-21 12:36 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000044s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
9090/tcp closed zeus-admin
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
output of sudo ufw status
Status: active
To Action From
-- ------ ----
9091/tcp ALLOW Anywhere
5222/tcp ALLOW Anywhere
7777/tcp ALLOW Anywhere
7443/tcp ALLOW Anywhere
7070/tcp ALLOW Anywhere
3478/tcp ALLOW Anywhere
3479/tcp ALLOW Anywhere
22 ALLOW Anywhere
80 ALLOW Anywhere
3306 ALLOW Anywhere
22/tcp ALLOW Anywhere
9090/tcp ALLOW Anywhere
9090 ALLOW Anywhere
9091/tcp (v6) ALLOW Anywhere (v6)
5222/tcp (v6) ALLOW Anywhere (v6)
7777/tcp (v6) ALLOW Anywhere (v6)
7443/tcp (v6) ALLOW Anywhere (v6)
7070/tcp (v6) ALLOW Anywhere (v6)
3478/tcp (v6) ALLOW Anywhere (v6)
3479/tcp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
9090/tcp (v6) ALLOW Anywhere (v6)
9090 (v6) ALLOW Anywhere (v6)
delete 9090 port using ufw and add again . But still its showing port closed.
nmap outpu
nmap localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-21 12:42 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00037s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
can anyone please help me what was issue
You not only need to allow access to the port with ufw, you also need a program to be listening on that port, for it to be considered open.
You can check that there is something listening on port 9090 with commands like lsof -i :9090 or netstat -tln | grep 9090.
This is because you don't have applications listening on the port. There are six port states for the nmap results. The closed state is A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it.
You could refer the nmap link to know more about the six states.