Skip to content

Instantly share code, notes, and snippets.

@justsml

justsml/docker-firewall.md

Created June 7, 2015 10:07
Show Gist options
  • Save justsml/d2404be22e3bd9c2f817 to your computer and use it in GitHub Desktop.
Save justsml/d2404be22e3bd9c2f817 to your computer and use it in GitHub Desktop.
Download ZIP
Docker Host Server Firewall Setup Notes/Guide
Raw
docker-firewall.md

Setup Docker Host Firewall

  1. Debian/Ubuntu Server is assumed
  2. Designed to run on Docker Host Server

Install Requirements

# Ultimate Firewall Needed
apt-get update && apt-get install -y ufw nmap curl

Get your Internal & External IP Addresses

# Get your IP Addresses, simple output:
hostname --all-ip-addresses

# OR use ip tool, example:
ip addr

UFW Config & Command Examples

export EXTERNAL_IP=123.123.123.123
export DOCKER_IP=172.17.42.1

# Allow and log all new ssh connections,
ufw allow log proto tcp from any to any port 22
ufw limit tcp/22 # Rate limit - basic SSH brute force mitigation

# Forward tcp 8080 traffic to  Dockerized App
ufw allow proto tcp from $EXTERNAL_IP port 8080 to $DOCKER_IP port 3000

Enable / Start Firewall

Be Careful, Don't Lock out your SSH port (defaults to 22)

ufw enable
ufw reset

==================

Test Firewall

Important: USE A REMOTE IP ADDR/LOCATION

# Verify dependency
apt-get update && apt-get install -y nmap

# Set scan target
export TARGET_HOST=123.123.123.123

# Example Scan Commands:
# Fast open port check
nmap -p 1-10240,27017 -T5 $TARGET_HOST
# Thorough scan
nmap -p 1-10240,27017 --open -v -APN $TARGET_HOST
# Svc Inspection
nmap -p 1-10240,27017 -O --osscan-guess $TARGET_HOST

DONE! Now you should see ONLY the ports you configured!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment