Docker is a powerful tool that can be used to create and manage applications and services. One of the great things about Docker is that it can be used with a UFW firewall. This article will show you how to use Docker with a UFW firewall. First, you need to install Docker on your machine. You can find the installation instructions here. Once you have installed Docker, you need to create a new container for using with your UFW firewall. To do this, open a terminal and type: docker create -t ufw –name mycontainer myfw-container This will create a new container called myfw-container that will use the UFW firewall. You can now use this container to run applications and services that require access to the internet through your UFW firewall.
Surprisingly, Docker does not work out of the box with Linux’s “Universal Firewall,” or UFW. They both modify the same iptables configuration, and this can lead to misconfigurations exposing containers that weren’t supposed to be public. Here’s how to fix it.
Why Doesn’t Docker Work With UFW?
UFW is intended to be a very simple firewall. The problem is that both UFW and Docker try to modify the same underlying firewall rules, and this conflict requires extra setup to sort out if you want to run UFW and Docker together.
If you set up a basic UFW firewall to deny by default and allow HTTP and SSH, this will appear secure—but it will not block Docker from starting containers bound to other ports. This issue can be hard to catch, as UFW and Docker are separate systems. UFW is unknowingly lying to you and will not show open ports from Docker containers.
This can be a major problem if you don’t catch it. For example, perhaps you wanted to run an internal admin panel on port 8000, and whitelist it to your own IP address. While this isn’t the most secure setup to begin with, it’s usually alright, especially if the panel has additional authentication.
However, UFW will show the firewall rule as properly whitelisted, and it will of course be visible to you from your whitelisted location. But, if it’s run through Docker, it will be visible on port 8000 from anywhere by default.
Fixing Docker’s Config
There is a solution Docker provides, by editing /etc/default/docker or /etc/docker/daemon.json and simply turning off Docker’s iptables functionality altogether:
This works, however, this is only a half solution. It disables Docker’s ability to manage its own networking and can cause containers to not be able to access the internet at all out of the box. This can still work, but you’ll need to manually maintain iptables rules for Docker containers and custom networks, which is complicated, annoying, and defeats the purpose of UFW’s simplicity.
The real solution is complicated, but luckily is common enough that there’s a helpful Github repo detailing the problem and the steps to fix it. Essentially, you need to modify UFW’s config at /etc/ufw/after.rules to add the following block at the end:
You can do that manually, but there’s a nice utility also provided in this repo that will automate it, and provide some helpful commands for checking the real firewall status. You can download it from this repo:
Then, install the config, and restart UFW.
Once restarted, the changes should apply automatically, but if they don’t, you may need to restart Docker or your machine in general. Once it’s enabled, the ports should all be properly blocked.
Whitelisting Docker Container Ports With UFW
This solution does require you to configure the port a little differently. The ufw-docker utility has a command that will selectively whitelist ports to specific Docker containers.
However, if you want to use a more advanced rule, such as IP based whitelisting, you’ll have to use ufw route allow
