I’ve only used ufw and just now I had to run this command to fix an issue with docker.
sudo iptables -I INPUT -i docker0 -j ACCEPT
I don’t know why I had to run this to make curl work.
So, what did I exactly just do?
This is behind my house router which already has reject input from wan, so I’m guessing it’s fine, right?
I’m asking since the image I’m running at home I was previously running it in a VPS which has a public IP and this makes me wonder if I have something open there without knowing :/
ufw is configured to deny all incoming, but I learnt docker by passes this if you configure the ports like 8080:8080 instead of 127.0.0.1:8080:8080. And I confirmed it by accessing the ip and port.
You should not have to open such a permissive rule. Like you’ve seen, docker will set firewall rules as needed if you have services that actually need to listen on the public interface.
If you’ve run that permissive input command on the VPS it’s most likely not a good idea.
What exactly are you trying to do? If you’re trying to use curl from inside a docker container that is not the correct way to achieve that. In fact you should not need to do anything like that, outside connections should be allowed (OUTPUT), and incoming collections (INPUT) should be allowed only if they’re related to an already ongoing connection (look up the ESTABLISHED flag).
Any extra flag you can offer that would narrow things down would also be welcome. When you write firewall rules you should be as restrictive as possible. For example since this is curl you’re probably going to connect to ports 80 and 443 so you can add --dport to restrict the ports to the OUTPUT rule. And you should specify the interface (in this case docker0) in almost all cases.