Firewall with Docker on Ubuntu

rasping5978

Hi, I recently purchased my new VPS running Ubuntu 22. I have a public IPv4 address. I have set up Docker on Ubuntu and was able to spin up my services. However, those exposed ports are publicly on the internet and anyone can access through :. I don't want the service port to be exposed so I set up Nginx Proxy Manager as my reverse proxy. It works but service port is still exposed.

I then used a firewall (ufw) and only allow 80 and 443, however it still doesn't block. Searched up and looks like its a bug for Docker and ufw. Now I used ufw-docker, yes it blocks my Docker services from the public network. Now I want to continue to only proxy my services through the reverse proxy. However it still does not seem to work. I tried adding a nginxproxymanager bridge network and having all my Docker containers use that bridge network, however nginxproxymanager could not seem to reach the other containers.

At this point I feel like giving up hahaha I am not sure what is the cause, is it Ubuntu, ufw-docker, or Docker? I am accessing the VPS though Wireguard and it works as expected. Yay.

What is the best practices for setting up Ubuntu, Docker on a VPS? What other tips would you provide? I have set up password-less authentication on SSH too and set up 2FA on my provider.

For context I have my homelab set up using my home IP. I am trying to have a similar set up on a VPS, where the server directly have the public IP, unlike a home network where it goes through a firewall/router. My local server can expose services internally eg 192.168.1.20:9999 without exposing it to the public internet.

Thank you!

dosai

Follow this tutorial,

https://www.fuzzygrim.com/posts/secure-vps#ufw

bdl

It's not really a bug, rather both ufw and docker alter iptables

WhizzWr

Had this problem a while back.

What happened is docker overrides ufw since it interacts with iptables after ufw rules were set.

Solutions:

1. Expose your docker to local IP (e.g. 127.0.0.1:80 rather than: 80, or
2. Modify ufw after rules to override docker iptables or,
3. Disable iptables in docker daemon config.

rasping5978

Thank you all for the help, I managed to set up my services with the help from this guide https://thesmarthomebook.com/2021/08/25/nginx-proxy-manager-setup-and-a-fix-for-your-502-gateway-errors/

Basically I set up a shared Docker network for all my services, that connects the reverse proxy to those services. Instead of using the IP, I used the Docker service name.

For hardening the server, I followed more guides provided. More to learn!

vitobotta

It's a known issue with a few workarounds. The best I am aware of is https://github.com/chaifeng/ufw-docker

rasping5978

@vitobotta said:
It's a known issue with a few workarounds. The best I am aware of is https://github.com/chaifeng/ufw-docker

I am currently using ufw-docker as a workaround too! Works like a charm!

vitobotta

@rasping5978 said:

@vitobotta said:
It's a known issue with a few workarounds. The best I am aware of is https://github.com/chaifeng/ufw-docker

I am currently using ufw-docker as a workaround too! Works like a charm!

It's definitely the best workaround I have found and the script is easy to use