UFW to allow traffic from Docker

Question

I have a development server with this UFW config:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere                  
22/tcp (v6)                LIMIT       Anywhere (v6)             

123/udp                    ALLOW OUT   Anywhere                  
DNS                        ALLOW OUT   Anywhere                  
80/tcp                     ALLOW OUT   Anywhere                  
443/tcp                    ALLOW OUT   Anywhere                  
22/tcp                     ALLOW OUT   Anywhere                  
123/udp (v6)               ALLOW OUT   Anywhere (v6)             
DNS (v6)                   ALLOW OUT   Anywhere (v6)             
80/tcp (v6)                ALLOW OUT   Anywhere (v6)             
443/tcp (v6)               ALLOW OUT   Anywhere (v6)             
22/tcp (v6)                ALLOW OUT   Anywhere (v6)

My problem is that this also blocks traffic internally from Docker.

I run a Docker container that maps 8000:8000 for http, and if I disable UFW I can make requests as expected. However, when UFW is enabled, I can't reach port 8000 even internally.

How do I allow this traffic for internal use? I want to access via ssh -L 8000:127.0.0.1:8000 example.com, so I don't want to open port 8000 for external access.

---

UPDATE:

Thinking that the problem might be that UFW also applies the rules to the loop-back interface I updated my rule with these new rules:

To                         Action      From
--                         ------      ----
Anywhere on lo             ALLOW       Anywhere                  
Anywhere on 127.0.0.1      ALLOW       Anywhere                  
Anywhere (v6) on lo        ALLOW       Anywhere (v6)             
Anywhere (v6) on 127.0.0.1 ALLOW       Anywhere (v6)             

Anywhere                   ALLOW OUT   Anywhere on lo            
Anywhere                   ALLOW OUT   Anywhere on 127.0.0.1     
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on lo       
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on 127.0.0.1

This does not solve the problem.

Answer 1

ufw allow from <some_address> to any app <app_name>

The manpage states not to enter a port number:

You should not specify the protocol with either syntax, and with the extended syntax, use app in place of the port clause. This probably means it will let <app_name> use whatever port it needs to

Other commands which might be useful:

ufw app info <app_name> Which lists the information on <app_name>'s profile.

ufw app update <app_name>
Which updates <app_name>'s profile. You can use all to update all application profiles.

You can use the:

ufw app update --add-new <app_name> command to add a new profile for <app_name> and update it, following the rules you set out with ufw app default <policy>.

App profiles are stored in /etc/ufw/applications.d and sometimes /etc/services.

For more information, to view the man page for ufw

man ufw

Update: Docker uses a private interface called docker0, you can allow access for docker to your host system.

You can use the information on the interface to create a rule, for example, ufw allow out on docker0 from 172.17.0.0/16

Using the port, you can make this rule more strict by using the following command, for example

ufw allow out on docker0 from 172.17.0.0/16 port 80 proto tcp

Docker creates a new interface for containers and to view this, you can use the ifconfig command:

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:a4:5e:e9:9c  txqueuelen 0  (Ethernet)
        RX packets 87  bytes 17172 (17.1 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 117  bytes 14956 (14.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
This interface routes traffic through 172.17.xxx.xxx