docker - 如何使用 docker 配置 iptables 策略以阻止外部 ip
问题描述
我正在尝试限制从外部 IP 访问容器。我在https://docs.docker.com/network/iptables/上关注了 docker 文档,但它不起作用。
我创建了一个桥接网络:
docker network create -d bridge --subnet 172.19.0.0/24 --opt com.docker.network.bridge.name=br-mynet mynet
然后我使用以前的网络运行容器 trought Docker-compose。Atfer 比我能看到的 iptables 规则:
~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:postgresql
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:omniorb
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:8086
ACCEPT tcp -- anywhere 172.19.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.9 tcp dpt:8888
ACCEPT tcp -- anywhere 172.19.0.12 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.8 tcp dpt:3000
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:9092
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
在这一步,所有外部 IP 都可以连接到 172.19.0.x 的所有主机容器。然后我按照文档中的描述应用 docker 规则以仅接受来自 10.223.20.173 的连接:
iptables -I DOCKER-USER -i br-mynet ! -s 10.223.20.173 -j DROP
这意味着唯一的外部 10.223.20.173 可以连接到容器。iptables 规则变为:
~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:postgresql
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:omniorb
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:8086
ACCEPT tcp -- anywhere 172.19.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.9 tcp dpt:8888
ACCEPT tcp -- anywhere 172.19.0.12 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.8 tcp dpt:3000
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:9092
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
DROP all -- !10.223.20.173 anywhere
RETURN all -- anywhere anywhere
但是使用此配置,ip 10.223.20.173 无法连接到容器。另一方面,当我应用不带负号!的规则时,IP 连接成功。但它应该是相反的。
感谢任何帮助!
解决方案
我认为会发生以下情况。您有一个“盒子”,其接口连接到外部网络,例如 eth0,以及您的 docker 网络接口 br-mynet:
+---------------------------+
[internet]<---> | (eth0) <-> (br-mynet) |
| ⇵ |
| [docker hosts] |
+---------------------------+
您正在尝试阻止从互联网到 docker 主机的数据包,在图像中从左到右。他们正在进入 eth0 并转发到 br-mynet。
您正在添加匹配的规则:
- 资源 !10.223.20.173
- 传入接口:br-mynet
因此,您实际上正在匹配来自 docker 的数据包与任何不同于 10.223.20.173 的源地址(即任何数据包),并且正在阻止这些响应。
请试试:
iptables -I DOCKER-USER -i eth0 -o br-mynet ! -s 10.223.20.173 -j DROP
推荐阅读
- symfony - Symfony 4.1 的 SQLite 环境
- amazon-web-services - 如何处理具有各种“自定义”字段的数据的 ETL / ELT?
- java - JavaFX ObjectOutputStream 只返回 null
- python - OpenPyXL - 如何查询单元格边界?
- swift - swift uipickerview 高度更改不起作用
- swift - 检索最佳分数 Game Center Swift
- typescript - Cocos Creator 和 TypeScript 使用枚举作为属性
- php - 在蓝图中使用页面内容
- google-chrome - 创建 ChromeApps 仍然有意义吗?
- kivy - 无法使用 buildozer 从 kivy 创建 APK 文件