UFW防火墙在DigitalOcean中的Ubuntu上不起作用 [英] UFW firewall is not working on Ubuntu in DigitalOcean

问题描述

在我的DigitalOcean（DO）小滴中，我安装了此图像： Ubuntu Docker 17.12.0〜ce在16.04上（可在** DO网站> Droplet> destroy>重建小滴**中获得） ，在ssh中（用户配置后），我运行

In my DigitalOcean (DO) droplet I installed this image: Ubuntu Docker 17.12.0~ce on 16.04 (which is available on ** DO website > droplet> destroy> rebuild droplet**) , in ssh (after user configuration), I run

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo ufw status verbose

并获取：

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         LIMIT IN    Anywhere                  
2375/tcp                   ALLOW IN    Anywhere                  
2376/tcp                   ALLOW IN    Anywhere                  
22 (v6)                    LIMIT IN    Anywhere (v6)             
2375/tcp (v6)              ALLOW IN    Anywhere (v6)             
2376/tcp (v6)              ALLOW IN    Anywhere (v6) 

您会看到，我不允许端口80（http）上的任何连接。确定要测试防火墙是否确实有效，我在docker下运行：

As you see, I don't allow any connections on port 80 (http). Ok to test that firewall really works I run following docker:

sudo docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:alpine

但是当我进入chrome并输入我的Droplet IP时，我会看到nginx响应（!!!）

But when I go to chrome and type my droplet IP I see nginx response (!!!)

我也尝试在Ubuntu 17映像中使用此命令（

I try this also for Ubuntu 17 image (with docker installation by hand) but still get the same problem.

结论：ufw防火墙在Ubuntu中根本无法工作

Conclusion: ufw firewall doesn't work at all in Ubuntu

问题：如何配置ufw / Ubuntu来解决此问题？

Question: how to configure ufw/Ubuntu to fix this problem?

推荐答案

Docker和UFW不能很好地协同工作，因为它们都修改了iptables，但是有一种解决方法。
您需要将Docker配置为不使用iptables。添加

Docker and UFW don't work together too well as they both modify iptables but there's a way to fix this. You'll need to configure Docker to not use iptables. Add

DOCKER_OPTS="--iptables=false"

到 / etc / default / docker 并重新启动主机（或重新启动Docker守护进程和UFW）。

to /etc/default/docker and restart your host (or restart the Docker daemon and UFW).

这两个链接提供了有关该问题的更多信息：

These two links have a lot more information about the issue:

https://blog.viktorpetersson.com/2014/11/03/the-dangers-of- ufw-docker.html


> https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/

这篇关于UFW防火墙在DigitalOcean中的Ubuntu上不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！