docker subverts ufw

The Problem

I found on Ubuntu that Docker modifies iptables such that ufw cannot effectively control incoming connections, as documented here:

http://blog.viktorpetersson.com/post/101707677489/the-dangers-of-ufw-docker

A Workaround

This link also points out that it is possible to override this behavior by adding the --iptables=false option to the command line that starts the Docker daemon. For a systemd example, this option is appended to the ExecStart line in
/lib/systemd/system/docker.service:

ExecStart=/usr/bin/dockerd -H fd:// –iptables=false

A Side-Effect of the Workaround

On Debian, with dockerd lauched with the --iptables=false option, I tried to do “docker build” for a DockerFile that included:

RUN npm install -g ethercalc pm2

But, this failed with:

npm info retry will retry, error on last attempt: Error: getaddrinfo ENOTFOUND registry.npmjs.org registry.npmjs.org:443

So, I had to

  • restart dockerd without the --iptables=false option
  • do the docker build
  • restart dockerd with the --iptables=false option

I would like to find a more elegant solution!!

Update 1:

On a Debian without any bridges, I don’t notice a difference in the output of ‘iptables -L’ with or without the option set.  So, I’m a bit stumped. Could this issue only affect Ubuntu? Could it only affect machines that have bridges?

Update 2:

I tried this again with my Ubuntu machine that does indeed have bridges, and I found that ‘iptables -L’ output is unaffected, yet, when I started dockerd without the --iptables=false option, my machine accepted connections even when ufw was set to reject all incoming connections.  So, I’m still stumped.