时间戳

首页 > 解决方案 > 如何使用 docker 配置 iptables 策略以阻止外部 ip

docker - 如何使用 docker 配置 iptables 策略以阻止外部 ip

问题描述

我正在尝试限制从外部 IP 访问容器。我在https://docs.docker.com/network/iptables/上关注了 docker 文档,但它不起作用。

我创建了一个桥接网络:

docker network create -d bridge --subnet 172.19.0.0/24 --opt com.docker.network.bridge.name=br-mynet mynet

然后我使用以前的网络运行容器 trought Docker-compose。Atfer 比我能看到的 iptables 规则:

~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             172.19.0.3           tcp dpt:omniorb
ACCEPT     tcp  --  anywhere             172.19.0.3           tcp dpt:8086
ACCEPT     tcp  --  anywhere             172.19.0.6           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.7           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.9           tcp dpt:8888
ACCEPT     tcp  --  anywhere             172.19.0.12          tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.8           tcp dpt:3000
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:9092
ACCEPT     tcp  --  anywhere             172.19.0.4           tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

在这一步,所有外部 IP 都可以连接到 172.19.0.x 的所有主机容器。然后我按照文档中的描述应用 docker 规则以仅接受来自 10.223.20.173 的连接:

iptables -I DOCKER-USER -i br-mynet ! -s 10.223.20.173 -j DROP

这意味着唯一的外部 10.223.20.173 可以连接到容器。iptables 规则变为:

~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             172.19.0.3           tcp dpt:omniorb
ACCEPT     tcp  --  anywhere             172.19.0.3           tcp dpt:8086
ACCEPT     tcp  --  anywhere             172.19.0.6           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.7           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.9           tcp dpt:8888
ACCEPT     tcp  --  anywhere             172.19.0.12          tcp dpt:https
ACCEPT     tcp  --  anywhere             172.19.0.8           tcp dpt:3000
ACCEPT     tcp  --  anywhere             172.19.0.5           tcp dpt:9092
ACCEPT     tcp  --  anywhere             172.19.0.4           tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
DROP       all  -- !10.223.20.173        anywhere
RETURN     all  --  anywhere             anywhere

但是使用此配置,ip 10.223.20.173 无法连接到容器。另一方面,当我应用不带负号!的规则时,IP 连接成功。但它应该是相反的。

感谢任何帮助!

标签: dockeriptables

解决方案

我认为会发生以下情况。您有一个“盒子”,其接口连接到外部网络,例如 eth0,以及您的 docker 网络接口 br-mynet:

                +---------------------------+
[internet]<---> | (eth0) <-> (br-mynet)     |
                |                ⇵          |
                |            [docker hosts] |
                +---------------------------+

您正在尝试阻止从互联网到 docker 主机的数据包,在图像中从左到右。他们正在进入 eth0 并转发到 br-mynet。

您正在添加匹配的规则:

  • 资源 !10.223.20.173
  • 传入接口:br-mynet

因此,您实际上正在匹配来自 docker 的数据包与任何不同于 10.223.20.173 的源地址(即任何数据包),并且正在阻止这些响应。

请试试:

iptables -I DOCKER-USER -i eth0 -o br-mynet ! -s 10.223.20.173 -j DROP

推荐阅读