If you are using a firewall like ufw or firewalld and docker you may encounter the problem that docker bypasses the firewall rules.
Goal
...
For further actions, you may consider blocking this person and/or reporting abuse
Thanks a lot! This is the solution I have been searching for months. The only way to circumvent the problem so far was to define a security rule on the firewall at the cloud provider level.
Your solution is what is fixing my problem completely. Thank you.
Thank your for the great post!
Does setting masquerade on the public interface bring any security implications?
Traffic reaching the 'eth0' interface with a destination other the server ip forwarded now instead of filtered. When this traffic originates from the docker interface/ips forwardind is great but how is it the other way around?
Does traffic from the internet with destination e.g. one of your docker containers is routed as well bypassing the firewall filter rules?
So far, I am not aware of any specific vulnerabilities introduced by masquerading. However, this may depend on the actual usage / setup. I strongly recommend to extensively check whether the setup works as intended.
Regarding traffic from the internet with destination container: Packets from the internet with destination set to a container IP address, do not reach your server in first place. Container IP addresses are only accessible within the local network on the server. This article explains this among other interesting details.
If the server IP address is set as destination in a packet, the firewall rules do apply.
See my reddit post for a reason why this does have security implications :_)
You are right. Thank you for sharing! I will update the article to include the implications described in your post.
Thanks! This works great.
But now I faced other problem, and can not find solution.
How to access LAN camera from docker container Frigate?
Frigate docker container IP 172.18.0.2
Camera IP: 192.168.178.6
Camera listening port 554/TCP
Zones: public (br0), trusted (docker0)
[Sun Jun 22 13:37:33 2025] filter_FWD_public_REJECT: IN=br-49xxx OUT=br0 MAC=xx:xx:xx:xx: SRC=172.18.0.2 DST=192.168.178.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54500 DF PROTO=TCP SPT=40902 DPT=554 WINDOW=64240 RES=0x00 SYN URGP=0
Forwarding rejecting.
This project looks similar but for ufw: github.com/chaifeng/ufw-docker
This works, but not for ipv6. I have both ipv4 and ipv6 enabled throughout and most applications prefer ipv6. I cannot reach a container by ipv6 from elsewhere in my network.
Adding rich rule 'rule family="ipv6" masquerade' to zone public fixed outbound ipv6 traffic. I haven't yet found anything for inbound traffic though.
@soerenmetje it seems to work very well but in this way I can't use fail2ban...
containers isn't able to log the external ip addresses...
is there a workaround for fail2ban?
I haven't dealt with that yet. If you find a workaround, feel free to post it here.