easy fix for DOCKER-USER and ufw

iptables-docker-ufw.sh

# Solves the problem with open ports with docker and ufw
# As Docker uses the nat table, the filter table FORWARD chain is used and does not touch ufw-input chains as expected.
# Even for ufw-forward chains it would not work, as DOCKER chains are inserted in front.
# This is a simple fix that worked for me.

INTERFACE_NAME=eth0


__clear(){
    sed -i '/^# dockerfix start/,/^# dockerfix end/d' $1
    printf "%s" "$(< $1)" > $1
    echo >> $1
    echo >> $1
}


__clear /etc/ufw/after.rules
__clear /etc/ufw/before.init
__clear /etc/ufw/ufw.conf


# defaults
echo "# dockerfix start
MANAGE_BUILTINS=no
IPV6=no
# dockerfix end" >> /etc/ufw/ufw.conf

# after.rules
# Handle docker user rules specifically, otherwise we would face docker services publicly open!
echo "# dockerfix start 
*filter
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]

-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i $INTERFACE_NAME -j ufw-user-input
-A DOCKER-USER -i $INTERFACE_NAME -j DROP
COMMIT
# dockerfix end" >> /etc/ufw/after.rules

# before.init stop
# Ensure DOCKER-USER flush to delete all references to ufw-user-input
sed -i'' '/stop)/a # dockerfix start\niptables -F DOCKER-USER || true\niptables -A DOCKER-USER -j RETURN || true\niptables -X ufw-user-input || true\n# dockerfix end' /etc/ufw/before.init
chmod a+x /etc/ufw/before.init