Quick security tip! Docker containers and ufw.

I recently discovered that the Docker daemon ‘out of the box’ (as it where) will run with the option --iptables=true.

Why is this important? - Well, for on your own development environment perhaps it isn’t so important. You can just get on with running your containers and access them over the network as expected.

If you are a bit more security conscious, perhaps because you are running on a production server, you will have firewall rules of some sort. iptables users may have spotted this but ufw users will potentially miss this: Docker is allowed to make changes to iptables to make networking easier. The reason why ufw users may miss this happening is that the rules for Docker do not appear in the list of rules.

Perhaps you want Docker managing iptables, this is your decision, but if you are running a selection of microservices behind an nginx load balancer/reverse proxy then you might not want this.

How do we fix this? - Luckily it isn’t that hard to change the behavior.

systemd Distros

Debian 8 for example, edit: /etc/systemd/system/multi-user.target.wants/docker.service

vim /etc/systemd/system/multi-user.target.wants/docker.service

You are looking for the following line:

ExecStart=/usr/bin/docker daemon -H fd://

Change it to:

ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false

Restart your Docker daemon

systemctl restart docker

non-systemd Systems

Ubuntu 14.04 for example.

Edit /etc/default/docker

vim /etc/default/docker

Change the following line:

DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"

To:

DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"

Restart your Docker daemon

service docker restart