[SOLVED] Issue with Docker/Traefik/Cloudflare/UFW setup

[uasdj25]

I wanted to post this here in case anyone else ran into a similar issue. Perhaps it will be helpful.

I built my setup several years ago along with the guides at htpcbeginner and now smarthomebeginner. I have been running my apps as listed in the subject without the firewall (UFW) enabled due to some serious performance issues. I noticed issues when I inserted the 'iptables --false' into the /etc/default/docker file that was in the guide regarding "20 Docker Security Best Practices". I would experience some serious buffering issues with plex in particular.

It turns out that docker has issues networking amongst its containers in its network in some cases when iptables is set to false. I went down the path of turning off the firewall until I could find a solution. I finally came across a handy guide here:

ufw-docker

Basically, I had to make a configuration change in /etc/ufw/after.rules so that I could allow private IP address space to be routable within the cotainers. It also allows the containers to not expose ports externally. So that by the time I inserted this snippet into the after.rules file (and after6.rules for IPv6 addresses) all I had to do was open ports 80 and 443 in ufw:

BEGIN UFW AND DOCKER

*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

COMMIT

END UFW AND DOCKER

After inserting that at the end of the file, I simply ran ufw route allow proto tcp from any to any port 80 and ufw route allow proto tcp from any to any port 443. Now the security hole is closed, docker doesn't bypass iptables rules, and the containers all function.

I hope this helps someone in the future. It took some serious digging to get to the bottom of it!

[Maynardnaze]

Beautiful work. Thank you for sharing!

…

On Fri, Jan 21, 2022, 6:36 PM uasdj25 ***@***.***> wrote: I wanted to post this here in case anyone else ran into a similar issue. Perhaps it will be helpful. I built my setup several years ago along with the guides at htpcbeginner and now smarthomebeginner. I have been running my apps as listed in the subject without the firewall (UFW) enabled due to some serious performance issues. I noticed issues when I inserted the 'iptables --false' into the /etc/default/docker file that was in the guide regarding "20 Docker Security Best Practices <https://www.smarthomebeginner.com/traefik-docker-security-best-practices/>". I would experience some serious buffering issues with plex in particular. It turns out that docker has issues networking amongst its containers in its network in some cases when iptables is set to false. I went down the path of turning off the firewall until I could find a solution. I finally came across a handy guide here: ufw-docker <https://github.com/chaifeng/ufw-docker/blob/master/README.md#tldr> Basically, I had to make a configuration change in /etc/ufw/after.rules so that I could allow private IP address space to be routable within the cotainers. It also allows the containers to not expose ports externally. So that by the time I inserted this snippet into the after.rules file (and after6.rules for IPv6 addresses) all I had to do was open ports 80 and 443 in ufw: BEGIN UFW AND DOCKER *filter :ufw-user-forward - [0:0] :ufw-docker-logging-deny - [0:0] :DOCKER-USER - [0:0] -A DOCKER-USER -j ufw-user-forward -A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 192.168.0.0/16 -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 -A DOCKER-USER -j RETURN -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " -A ufw-docker-logging-deny -j DROP COMMIT END UFW AND DOCKER After inserting that at the end of the file, I simply ran ufw route allow proto tcp from any to any port 80 and ufw route allow proto tcp from any to any port 443. Now the security hole is closed, docker doesn't bypass iptables rules, and the containers all function. I hope this helps someone in the future. It took some serious digging to get to the bottom of it! — Reply to this email directly, view it on GitHub <#222>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJIJNRG37IGBTDJENFSKDLTUXHUYDANCNFSM5MQ2AZZA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>