0

How can I block ports from being visible/accessible from the outside using ufw?

If I nmap my server I can see all my running Docker containers (all ports from 8080 to 8086), which I do not want, because I only need them locally on the system:

myuser@mysystem:~$ nmap example.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-22 04:21 CEST
Nmap scan report for example.com (123.123.123.123)
Host is up (0.048s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
8082/tcp open  blackice-alerts
8083/tcp open  us-srv
8084/tcp open  websnp
8085/tcp open  unknown
8086/tcp open  d-s-n

So, my approach was to block all these ports with ufw:

ufw deny 8080
ufw deny 8081
ufw deny 8082
ufw deny 8083
ufw deny 8084
ufw deny 8085
ufw deny 8086
ufw deny out 8080
ufw deny out 8081
ufw deny out 8082
ufw deny out 8083
ufw deny out 8084
ufw deny out 8085
ufw deny out 8086
ufw reload

But, if I now execute "nmap example.com" I can still see all open ports. What must be done to block these ports?

Improve this question

1 Answer 1

Reset to default
0

After having searched in many places I found an answer here.

In short, Docker ignores ufw! Whatever you define in ufw, Docker still does its thing, meaning that published ports will be visible whether you block them in ufw or not. To circumnavigate that there are several ways. The one that worked best for me was to add a local loopback (127.0.0.1) to the docker port publishing part.

Example:

Instead of this:

docker run --detach --name nginx --publish 80:80 nginx

Do this:

docker run --detach --name nginx --publish 127.0.0.1:80:80 nginx
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .