如何使用 docker 配置 iptables 策略以阻止外部 ip
How can i configure iptables policies with docker to block externals ip
我正在尝试限制从外部 IP 访问容器。我遵循了 https://docs.docker.com/network/iptables/ 上的 docker 文档,但它不起作用。
我已经创建了一个网桥:
docker network create -d bridge --subnet 172.19.0.0/24 --opt com.docker.network.bridge.name=br-mynet mynet
然后我 运行 容器传输 Docker-与以前的网络组合。 Atfer 比我看到的 iptables 规则:
~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:postgresql
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:omniorb
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:8086
ACCEPT tcp -- anywhere 172.19.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.9 tcp dpt:8888
ACCEPT tcp -- anywhere 172.19.0.12 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.8 tcp dpt:3000
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:9092
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
在这一步,所有外部 IP 都可以连接到位于 172.19.0.x 的所有主机容器。然后我按照文档中的描述应用 docker 规则以仅接受来自 10.223.20.173 的连接:
iptables -I DOCKER-USER -i br-mynet ! -s 10.223.20.173 -j DROP
这意味着只有外部 10.223.20.173 可以连接到容器。 iptables 规则变为:
~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:postgresql
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:omniorb
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:8086
ACCEPT tcp -- anywhere 172.19.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.9 tcp dpt:8888
ACCEPT tcp -- anywhere 172.19.0.12 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.8 tcp dpt:3000
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:9092
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
DROP all -- !10.223.20.173 anywhere
RETURN all -- anywhere anywhere
但是使用此配置,ip 10.223.20.173 无法连接到容器。
另一方面,当我应用没有负号 ! 的规则时,ip 连接成功。但应该反过来。
感谢任何帮助!
我认为会发生以下情况。你有一个 "box" 接口连接到外部网络,比如 eth0,你的接口连接到 docker 网络,br-mynet:
+---------------------------+
[internet]<---> | (eth0) <-> (br-mynet) |
| ⇵ |
| [docker hosts] |
+---------------------------+
您正试图阻止从互联网到 docker 主机的数据包,图中从左到右。
他们正在进入 eth0 并转发到 br-mynet。
您正在添加匹配的规则:
- 来源! 10.223.20.173
- 传入接口: br-mynet
所以你实际上是在匹配来自 docker 的数据包与任何不同于 10.223.20.173 的源地址(即任何数据包),并阻止这些响应。
请尝试:
iptables -I DOCKER-USER -i eth0 -o br-mynet ! -s 10.223.20.173 -j DROP
我正在尝试限制从外部 IP 访问容器。我遵循了 https://docs.docker.com/network/iptables/ 上的 docker 文档,但它不起作用。
我已经创建了一个网桥:
docker network create -d bridge --subnet 172.19.0.0/24 --opt com.docker.network.bridge.name=br-mynet mynet
然后我 运行 容器传输 Docker-与以前的网络组合。 Atfer 比我看到的 iptables 规则:
~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:postgresql
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:omniorb
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:8086
ACCEPT tcp -- anywhere 172.19.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.9 tcp dpt:8888
ACCEPT tcp -- anywhere 172.19.0.12 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.8 tcp dpt:3000
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:9092
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
在这一步,所有外部 IP 都可以连接到位于 172.19.0.x 的所有主机容器。然后我按照文档中的描述应用 docker 规则以仅接受来自 10.223.20.173 的连接:
iptables -I DOCKER-USER -i br-mynet ! -s 10.223.20.173 -j DROP
这意味着只有外部 10.223.20.173 可以连接到容器。 iptables 规则变为:
~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:postgresql
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:omniorb
ACCEPT tcp -- anywhere 172.19.0.3 tcp dpt:8086
ACCEPT tcp -- anywhere 172.19.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.7 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.9 tcp dpt:8888
ACCEPT tcp -- anywhere 172.19.0.12 tcp dpt:https
ACCEPT tcp -- anywhere 172.19.0.8 tcp dpt:3000
ACCEPT tcp -- anywhere 172.19.0.5 tcp dpt:9092
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
DROP all -- !10.223.20.173 anywhere
RETURN all -- anywhere anywhere
但是使用此配置,ip 10.223.20.173 无法连接到容器。 另一方面,当我应用没有负号 ! 的规则时,ip 连接成功。但应该反过来。
感谢任何帮助!
我认为会发生以下情况。你有一个 "box" 接口连接到外部网络,比如 eth0,你的接口连接到 docker 网络,br-mynet:
+---------------------------+
[internet]<---> | (eth0) <-> (br-mynet) |
| ⇵ |
| [docker hosts] |
+---------------------------+
您正试图阻止从互联网到 docker 主机的数据包,图中从左到右。 他们正在进入 eth0 并转发到 br-mynet。
您正在添加匹配的规则:
- 来源! 10.223.20.173
- 传入接口: br-mynet
所以你实际上是在匹配来自 docker 的数据包与任何不同于 10.223.20.173 的源地址(即任何数据包),并阻止这些响应。
请尝试:
iptables -I DOCKER-USER -i eth0 -o br-mynet ! -s 10.223.20.173 -j DROP