Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

install-docker duplicates ufw before rules on ufw restart #1

Open
andrewgdotcom opened this issue Apr 10, 2020 · 0 comments
Open

install-docker duplicates ufw before rules on ufw restart #1

andrewgdotcom opened this issue Apr 10, 2020 · 0 comments
Assignees
@andrewgdotcom

Comments

@andrewgdotcom
Copy link
Owner

The machines running Docker have this configuration in before.rules:

*nat
:POSTROUTING ACCEPT [0:0]

# Masquerade outgoing traffic coming from the docker subnet
-A POSTROUTING -o eth0 -s 172.17.0.0/16 -j MASQUERADE
-A POSTROUTING -o zt0 -s 172.17.0.0/16 -j MASQUERADE
-A POSTROUTING -o zt1 -s 172.17.0.0/16 -j MASQUERADE
COMMIT

The problem is that when UFW is reloaded those rules will be duplicated in iptables:

groot@docker1 /tmp/ansible_siren_testdbs # ufw reload
Firewall reloaded
groot@docker1 /tmp/ansible_siren_testdbs # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  172.17.0.0/16        anywhere <---
MASQUERADE  all  --  172.17.0.0/16        anywhere <---
MASQUERADE  all  --  172.17.0.0/16        anywhere <---

Could be fixed by flushing postrouting if there are no additional nat rules outside of ufw.
@andrewgdotcom andrewgdotcom self-assigned this Apr 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewgdotcom andrewgdotcom

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewgdotcom