Networking & Firewall

This section provides comprehensive coverage of Linux networking and firewall configuration, with particular focus on the complex interactions between UFW, Docker, KVM/libvirt, and LXC.

Why This Matters

A home server running virtualization and containers creates a complex networking environment where multiple tools manipulate the same underlying systems. Without understanding these interactions, you risk:

• Security holes - Services exposed unintentionally
• Broken connectivity - VMs or containers unable to reach the network
• Debugging nightmares - Hours spent on issues caused by conflicting rules
• False sense of security - UFW enabled but not actually protecting anything

Section Overview

Fundamentals

• Linux Networking Basics - How packets flow through the kernel
• Netfilter Architecture - The kernel's packet filtering framework
• iptables Deep Dive - Tables, chains, and rule processing
• nftables Introduction - The modern netfilter frontend
• Network Namespaces - Container and VM network isolation

UFW

• UFW Fundamentals - What UFW does and how it works
• UFW Configuration - Rules, policies, and files
• UFW Advanced Usage - Complex rules and custom chains
• UFW Logging & Monitoring - Understanding and analyzing logs

Docker Networking

• Docker Network Overview - Bridge, host, overlay networks
• Docker and iptables - How Docker manipulates firewall rules
• Docker UFW Conflict - The bypass problem explained
• Docker UFW Solutions - Fixing the Docker/UFW issue
• Docker Compose Networking - Multi-container networking
• Docker Network Security - Hardening container networks

KVM/libvirt Networking

• libvirt Network Overview - NAT, bridged, and isolated networks
• KVM UFW Integration - Making UFW work with VMs
• Bridged Networking - VMs on the host network
• VM Port Forwarding - Exposing VM services

LXC/LXD Networking

• LXD Network Overview - Container networking modes
• LXD UFW Integration - Firewall considerations for LXC

Integration & Conflicts

• Multi-Technology Conflicts - When Docker, KVM, and LXC collide

External Access

• External Access Guide - Accessing services from outside your network

Troubleshooting

• Debugging Methodology - Systematic approach to network issues
• Common Problems - Frequent issues and solutions

Reference

• Complete before.rules - Production-ready UFW configuration

Quick Start

If you're setting up a new server, start with:

1. UFW Fundamentals - Basic firewall setup
2. Docker UFW Conflict - Understand the problem
3. Docker UFW Solutions - Fix it
4. Complete before.rules - Copy a working config

Key Takeaways

Docker Bypasses UFW

By default, Docker published ports are accessible from anywhere, regardless of UFW rules. See Docker UFW Conflict.

Multiple Tools, One iptables

Docker, libvirt, and LXD all manipulate iptables. They can conflict. See Multi-Technology Conflicts.

Use before.rules

Most integration issues are solved by properly configuring /etc/ufw/before.rules. See Complete before.rules.