====== UFW Firewall ======
UFW is the default firewall configuration tool on Ubuntu and is simple to install on Debian.
https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
**Getting Started**: https://www.howtoforge.com/tutorial/ufw-uncomplicated-firewall-on-ubuntu-15-04/
**HowTo**: https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
===== Reset UFW =====
ufw --force disable
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp #Example
ufw --force enable
ufw status numbered
===== Custom Rules =====
FIXME This needs further confirmation. **Consider this a starting point.**
This **example** is for filtering (further restricting) **external access to ports published (opened externally) by Docker**. Consider this a firewall in front of the Docker firewall. **Once you start with this, you will need to maintain it to control access to all your Docker apps.**
Docker published ports are **globally accessible** and this is **not limited by normal filtering rules**. This is probably unwanted in some cases such as **admin URLs** to web apps running under Docker.
vim /etc/ufw/after.rules
Insert the lines mentioning Docker, in the locations shown. Modify the destination ports as needed.
#
# rules.input-after
#
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-after-input
# ufw-after-output
# ufw-after-forward
#
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:DOCKER-USER - [0:0]
# End required lines
# Custom rules for Docker apps
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth0 -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 80,443,22115:22119 -j ACCEPT
-A DOCKER-USER -i eth0 --match multiport -p udp --dports 22116 -j ACCEPT
-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 81,9443 --source 192.168.1.0/24,10.0.0.0/24 -j ACCEPT
-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j LOG --log-prefix "DOCKER-USER_DROP "
-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j DROP
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input
# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT