When you're running docker swarm mode, you're facing the problem that iptable rules of ufw has no affect on published ports.
This is right and a corrected behaviour and also well documentated.
There are sevaral blog entries, github projects, stackoverflow answers and so one, which are fixing this issue by disabling iptable manipulation by docker and routes everything by there own. I bet that most people who blindly copy/paste those hacks, have no clue what they're doing.
1st. simple only expose ports you want to serve public :)
Seriously. Example: You need to make a dump from your MariaDB, which runs in the docker network
Just run the dump from another docker container which is attached to the
db network, has the backup destination mounted as a volume, start
xtrabackup and you're done.
When you're not able to fulfill the first rule, just follow the 2nd rule.
2nd. simple add a iptables rule to the
This chain is evaluated before docker set the iptables. Sadly, ufw is not able to apply rules in different chains. But don't worry, you can do it KISS with ansible
- name: drop public fluentd port become: yes iptables: action: insert chain: DOCKER-USER protocol: tcp destination_port: 24224 jump: DROP ip_version: "ipv4" comment: drop fluentd port
... and you're done.
Yes, every solution in IT - every - has advantages and disadvantages.
When the server is rebooting, the added rules in the
DOCKER-USER chain are gone!
The best idea is to use a simple systemd unit file, which invokes your ansible playbook to re-apply your addition iptables rules for the
DOCKER-USER chain on reboot.
[Unit] Description=Firewall configuration script After=docker.service Requires=docker.service [Service] Type=simple ExecStart=/usr/local/bin/ansible-playbook /path/to/playbook/iptable.yml Restart=on-failure RestartSec=2 [Install] WantedBy=basic.target
3rd rule: Just use ufw for everything which is not deployed via docker.