Docker and UFW

From OISecWiki

When running docker on a host and trying to secure it with UFW, i've ran into some problems where the docker exposed ports supersede UFW. Thus making these ports available for everyone.

To fix this do the following.

Add the following lines in /etc/ufw/after.rules, just before the final COMMIT line.

:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]

-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i ens3 -j ufw-user-input
-A DOCKER-USER -i ens3 -j DROP

Now reactivate UFW by running ufw reload