The Wayback Machine - https://web.archive.org/web/20210815093201/https://github.com/chaifeng/ufw-docker/issues/8
Skip to content

/ ufw-docker

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doesn't work with IPV6 #8

Open
smp4488 opened this issue Feb 14, 2019 · 8 comments
Open

Doesn't work with IPV6 #8

smp4488 opened this issue Feb 14, 2019 · 8 comments
Labels
enhancement good first issue

Comments

@smp4488
Copy link

@smp4488 smp4488 commented Feb 14, 2019
edited

So I took a shot at trying to get this to work with IP V6 addresses with no luck. If I disable the ufw service i'm able to access my site using the V6 address, but when I enable ufw the connection times out. I found /etc/ufw/after6.rules and tried to modify it to work, but I must be doing something wrong. My guess is it's something with the V6 subnet.

# BEGIN UFW AND DOCKER
*filter
:ufw6-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s fe80::/10
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw6-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d fe80::/10
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d fe80::/10

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER

Here is my ifconfig:

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::1  prefixlen 64  scopeid 0x20<link>
        ether 02:42:0e:75:6d:9a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ufw status

Status: active
Logging: off
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

80/tcp                     ALLOW FWD   Anywhere
443/tcp                    ALLOW FWD   Anywhere
80/tcp (v6)                ALLOW FWD   Anywhere (v6)
443/tcp (v6)               ALLOW FWD   Anywhere (v6)
@chaifeng
Copy link
Owner

@chaifeng chaifeng commented Feb 17, 2019

Sorry, I haven't tried IPv6 in Docker. This weekend I tried to set up a local IPv6 network by using VirtualBox, but not successful.

I checked our servers and found the IPv6 address of docker0 is like fe80::aaaa:bbbb:cccc:dddd, not fe80::1 you showed. I'm not sure if this is an issue?

From the document IPv6 with Docker | Docker Documentation we can see that the IPv6 address of docker0 is like 2001:db8::c008/125.

So sorry, I cannot help you now. But I would like to try IPv6 when I have time.

If you have any updates please let me know, thanks!
@smp4488
Copy link
Author

@smp4488 smp4488 commented Feb 18, 2019

@chaifeng thank you for your timely response. I took a look at the documentation you mentioned and made the changes that they describe. It now looks like the docker0 interface has two versions of an IPv6 address. I will admit i'm pretty new to firewalls and very new to ufw so i'm not even sure what the best way to debug this would be. I don't really need IPV6 container support and I think it would be better to have the IPV6 requests to my server to be forwarded as IPV4, but i'm not sure how to do that.

The reason I found this issue was because I was unable to access my website from my phone when not connected to WIFI. My LTE connection has an IPV6 address which makes my site unreachable.

ifconfig:

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::1  prefixlen 64  scopeid 0x20<link>
        inet6 2001:db8:1::1  prefixlen 64  scopeid 0x0<global>
        ether 02:42:0e:75:6d:9a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I have updated my after6.rules to reflect the new address:

# BEGIN UFW AND DOCKER
*filter
:ufw6-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 2001:db8:1::/64
-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw6-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 2001:db8:1::/64
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 2001:db8:1::/64

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER

I enabled ufw logging and I can still see the request being blocked. The DST is my servers public IPV6 address.

Feb 17 19:23:03 smokey kernel: [1019599.765240] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:6c:1c:b2:84:78:ac:5a:19:41:86:dd SRC=2001:41d0:0008:e8ad:0000:0000:0000:0001 DST=x:x:x:x:x:x:x:x LEN=80 TC=0 HOPLIMIT=49 FLOWLBL=0 PROTO=TCP SPT=33144 DPT=443 WINDOW=14400 RES=0x00 SYN URGP=0

Feb 17 19:23:04 smokey kernel: [1019600.761464] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:6c:1c:b2:84:78:ac:5a:19:41:86:dd SRC=2001:41d0:0008:e8ad:0000:0000:0000:0001 DST=x:x:x:x:x:x:x:x LEN=80 TC=0 HOPLIMIT=49 FLOWLBL=0 PROTO=TCP SPT=33144 DPT=443 WINDOW=14400 RES=0x00 SYN URGP=0

Feb 17 19:23:06 smokey kernel: [1019602.765518] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:6c:1c:b2:84:78:ac:5a:19:41:86:dd SRC=2001:41d0:0008:e8ad:0000:0000:0000:0001 DST=x:x:x:x:x:x:x:x LEN=80 TC=0 HOPLIMIT=49 FLOWLBL=0 PROTO=TCP SPT=33144 DPT=443 WINDOW=14400 RES=0x00 SYN URGP=0
@Fazel94
Copy link

@Fazel94 Fazel94 commented Jun 30, 2019

Does block unwanted traffic if the client is ipv6?
Since it only changes after.rules and not after6.rules I suspect that it may not block incoming traffic through ipv6.
I haven't experimented nor I have any knowledge about ipv6.
@chaifeng
Copy link
Owner

@chaifeng chaifeng commented Jul 1, 2019

@Fazel94 No, currently it doesn't support IPv6. But the method is similar.

For the following code, you need to replace 10.0.0.0/8/172.16.0.0/12/192.168.0.0/16 with your internal IPv6 addresses. Then adding the changed code to end of the file /etc/ufw/after6.rules.

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER

I don't have an IPv6 network environment for now, and I also not very familiar with IPv6, just used somewhere.

BTW, if you don't care about the IPv6, disable it for your servers.

If you care about it, disable IPv6 for docker, setting up a web reverse proxy and forward the IPv6 traffic to the Docker containers, it's an easier way.
@SnejPro
Copy link

@SnejPro SnejPro commented Mar 2, 2020
edited

@Fazel94 No, currently it doesn't support IPv6. But the method is similar.

For the following code, you need to replace 10.0.0.0/8/172.16.0.0/12/192.168.0.0/16 with your internal IPv6 addresses. Then adding the changed code to end of the file /etc/ufw/after6.rules.

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER

I don't have an IPv6 network environment for now, and I also not very familiar with IPv6, just used somewhere.

BTW, if you don't care about the IPv6, disable it for your servers.

If you care about it, disable IPv6 for docker, setting up a web reverse proxy and forward the IPv6 traffic to the Docker containers, it's an easier way.

That helped me.

But i also had to change ufw-user-forward to ufw6-user-forward:

# BEGIN UFW AND DOCKER
*filter
:ufw6-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s fc00::/7

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw6-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d fc00::/7
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d fc00::/7

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
@Fazel94
Copy link

@Fazel94 Fazel94 commented Apr 8, 2020

@chaifeng , my interest in the issue is about security, I propose you add it to README.md that the solution wouldn't block unwanted traffic in IPv6. I and several people I know faced security problems due to bad workings of UFW and docker on IPv4.
@bonanza123
Copy link

@bonanza123 bonanza123 commented Dec 28, 2020

@Fazel94 @SnejPro could you please paste your solution if it works?
@SnejPro
Copy link

@SnejPro SnejPro commented Dec 30, 2020

@Fazel94 @SnejPro could you please paste your solution if it works?

/etc/ufw/after.rules

# BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER

/etc/ufw/after6.rules

# BEGIN UFW AND DOCKER
*filter
:ufw6-user-forward - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j RETURN -s fc00::/7

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw6-user-forward

-A DOCKER-USER -j DROP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d fc00::/7
-A DOCKER-USER -j DROP -p udp -m udp --dport 0:32767 -d fc00::/7

-A DOCKER-USER -j RETURN
COMMIT
# END UFW AND DOCKER
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement good first issue
5 participants
@chaifeng @smp4488 @bonanza123 @Fazel94 @SnejPro