~# ufw status verboseStatus: activeLogging: on (low)Default: deny (incoming), allow (outgoing), deny (routed)New profiles: skipTo Action From-- ------ ----22 ALLOW IN Anywhere80 ALLOW IN Anywhere27015:27115/udp ALLOW IN Anywhere27015:27115/tcp ALLOW IN Anywhere22 (v6) ALLOW IN Anywhere (v6)80 (v6) ALLOW IN Anywhere (v6)27015:27115/udp (v6) ALLOW IN Anywhere (v6)27015:27115/tcp (v6) ALLOW IN Anywhere (v6)
如您所见,它默认拒绝传入连接,只允许某些端口.但是,我只是在端口8083上设置了一个新服务,我可以从外部访问它.为什么会这样?
我已经使用了一个docker容器来运行这个新服务,以防万一.
看起来像Docker tampers directly with IPTables
.可以通过向Docker守护程序添加–iptables = false来覆盖此行为.
编辑/ etc / default / docker和uncomment DOCKER_OPTS行:
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"
作者总结如下:
- UFW doesn’t tell you iptables true state (not shocking, but still).
- Never use the -p option (or -P) in Docker for something you don’t want to be public.
- Only bind on either the loopback interface or an internal IP.