Use conntrack to allow incoming responses for outbound connections ch…

…aifeng#115
cwilson1776 · Sep 29, 2024 · 09e43cc · 09e43cc
1 parent 42de3e3
commit 09e43cc
Showing 1 changed file with 7 additions and 9 deletions.
diff --git a/ufw-docker b/ufw-docker
@@ -352,20 +352,18 @@ function ufw-docker--check-install() {
 	:DOCKER-USER - [0:0]
 	-A DOCKER-USER -j ufw-user-forward
 
+	# allow communication between containers
 	-A DOCKER-USER -j RETURN -s 10.0.0.0/8
 	-A DOCKER-USER -j RETURN -s 172.16.0.0/12
 	-A DOCKER-USER -j RETURN -s 192.168.0.0/16
 
-	-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
-
-	-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-	-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-	-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-	-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-	-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-	-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12
+	# allow established connections (e.g. initiated by a container)
+	-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN -d 10.0.0.0/8
+	-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN -d 172.16.0.0/12
+	-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN -d 192.168.0.0/16
 
-	-A DOCKER-USER -j RETURN
+	# block anything else
+	-A DOCKER-USER -j ufw-docker-logging-deny
 
 	-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
 	-A ufw-docker-logging-deny -j DROP