I found on Ubuntu that Docker modifies iptables such that ufw cannot effectively control incoming connections, as documented here:
This link also points out that it is possible to override this behavior by adding the
--iptables=false option to the command line that starts the Docker daemon. For a systemd example, this option is appended to the ExecStart line in
ExecStart=/usr/bin/dockerd -H fd:// –iptables=false
A Side-Effect of the Workaround
On Debian, with dockerd lauched with the
--iptables=false option, I tried to do “docker build” for a DockerFile that included:
RUN npm install -g ethercalc pm2
But, this failed with:
npm info retry will retry, error on last attempt: Error: getaddrinfo ENOTFOUND registry.npmjs.org registry.npmjs.org:443
So, I had to
- restart dockerd without the
- do the docker build
- restart dockerd with the
I would like to find a more elegant solution!!
On a Debian without any bridges, I don’t notice a difference in the output of ‘iptables -L’ with or without the option set. So, I’m a bit stumped. Could this issue only affect Ubuntu? Could it only affect machines that have bridges?
I tried this again with my Ubuntu machine that does indeed have bridges, and I found that ‘iptables -L’ output is unaffected, yet, when I started dockerd without the
--iptables=false option, my machine accepted connections even when ufw was set to reject all incoming connections. So, I’m still stumped.