This is an old revision of the document!

Table of Contents

UFW Firewall

Reset UFW

ufw --force disable
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp                #Example
ufw --force enable

ufw status

Custom Rules

FIXME This needs further confirmation. Consider this a starting point.

This example is for filtering (further restricting) external access to ports published (opened) by Docker.

Docker published ports are globally accessible and this is not limited by normal filtering rules. This is probably unwanted in some cases such as admin URLs to web apps running under Docker.

vim /etc/ufw/after.rules

Insert the lines mentioning Docker, in the locations shown. Modify the destination ports as needed.

# rules.input-after
# Rules that should be run after the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-after-input
#   ufw-after-output
#   ufw-after-forward

# Don't delete these required lines, otherwise there will be errors
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-after-forward - [0:0]
:DOCKER-USER - [0:0]
# End required lines

# Custom rules for Docker apps
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -i eth0 -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 80,443,22115:22119 -j ACCEPT
-A DOCKER-USER -i eth0 --match multiport -p udp --dports 22116 -j ACCEPT
-A DOCKER-USER -i eth0 --match multiport -p tcp --dports 81,9443 --source,, -j ACCEPT
-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j LOG --log-prefix "DOCKER-USER_DROP "
-A DOCKER-USER -i eth0 -m conntrack --ctstate NEW -j DROP

# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp --dport 68 -j ufw-skip-to-policy-input

# don't log noisy broadcast
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

# don't delete the 'COMMIT' line or these rules won't be processed
networking/firewall/ufw.1659037143.txt.gz · Last modified: 2022/07/28 13:39 by gcooper