Enable UFW to block dockerized application. How can I block outside access to just the docker network?

Question

My dockerized server is visible to the internet even though I've set UFW to not allow anything but ssh and http.

I've read that docker opens the ports via the ip-tables and bypasses UFW.

I do not want the server accessible via its port. Instead I use an nginx proxy to allow this access.

Furthermore, I have a dockerize mongo database that I only want to be accessible by my server app. It too is accessible from the outside.

docker compose file snippet

  myapp:
    restart: unless-stopped
    build:
      context: ../server
      dockerfile: Dockerfile
    hostname: myapp
    ports:
      - 28000:27000
  mongo_service:
    restart: unless-stopped
    image: mongo
    ports:
      - 27017:27017

UFW status

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    10.137.0.0/16             
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
123/udp                    ALLOW IN    Anywhere                  
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             
123/udp (v6)               ALLOW IN    Anywhere (v6)  

From the outside I can access either 28000 or 27017

curl -v telnet://145.132.124.138:28000

This reports:

Connected to 145.132.124 port 28000 (#0)

Just to restate the requirements. The server app is the only entity that should be able to access the mongo db. The only access to the server app should be via port 80/443 directed through a proxy to the local port 28000. Neither port 28000 nor 27017 should be visible outside the host.

NOTE: I do block access via a cloud firewall. I just want the rules in UFW to make sense and do what they appear to be attempting.

NOTE2: I tried adding DOCKER_OPTS="--iptables=false" to the /etc/default/docker and restarted sudo systemctl restart docker but this did not resolve the issue. The connections could still be made.

Answer 1

The server app is the only entity that should be able to access the mongo db.

Delete the ports: from the mongo_service container. The only function of ports: is to publish container ports outside of Docker space; they're not required or used for connections between containers.

The only access to the server app should be via [...] a proxy [running on the host system].

ports: takes an optional bind address. This is an existing IP address on the host, and the published port is bound to that interface. By default this is 0.0.0.0 ("all interfaces") but you can specify another address. If the reverse proxy is running on the host system, you can specify 127.0.0.1 to bind to (the host's) localhost interface

ports:
  - '127.0.0.1:28000:27000'

If the proxy is also running in a container in the same Compose file (it connects to http://myapp:27000/) then you can also delete ports: here.