Docker container access cannot be controlled with OMV firewall rules

  • I've been trying to set up the firewall inside OMV, and I've been mostly successful at restricting access as I want.


    BUT I can't seem to restrict access to Docker containers running on the server using the rules in the OMV6 user interface.


    My iptables are below, and my guess is that Docker's rules are taking precedence over OMV's rules. Specifically, I wanted to restrict access to port 3000 and 3001, and even if I drop all the traffic in the OMV UI, the port remains open.


    The rules below should block all traffic to ports 3000/3001, according to the first block (which is what I'd configured in OMV), but then later you can see that docker allows those ports.


    Have I hit a limitation of the OMV webui, or am I missing something here? Or is there a way I can configure the docker containers differently?


  • Quote

    Uncomplicated Firewall (ufw) is a frontend that ships with Debian and Ubuntu, and it lets you manage firewall rules. Docker and ufw use iptables in ways that make them incompatible with each other.


    When you publish a container’s ports using Docker, traffic to and from that container gets diverted before it goes through the ufw firewall settings. Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.

    Packet filtering and firewalls


    Seems this is a Docker limitation that OMV can't get around (at least insofar as only the INPUT and OUTPUT chains can be manipulated through the WebUI).

    • Official Post

    Why are you opening ports in docker containers and then blocking access to them? Couldn't you just not expose the ports in the container?

    omv 7.4.10-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.14 | compose 7.2.14 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Official Post

    I want to restrict access to the ports to a specific set of IPs.

    Granted it is only one IP but why not do that in the compose file?


    Code
    ports:
      - 192.168.1.45:3000:80

    omv 7.4.10-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.14 | compose 7.2.14 | k8s 7.3.1-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.9


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • I would think it would be more appropriate/efficient to do the blocking in your router instead of in your server.

  • ...the only way I could probably do this with OMV webui...

    Then don't use the UI. From that same page...

    Quote

    If you want rules to apply even when a port gets published through Docker,
    you must add these rules to the DOCKER-USER chain.

    I think it would be more effective to only allow certain ports rather than block them. Of course, I have no idea what the "normal" ports are for general operation, dockerhub and other commonly used connections?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!