Docker - 可从外部访问的暴露端口 - 忽略 iptables 规则

Docker - 可从外部访问的暴露端口 - 忽略 iptables 规则

我有一个正在运行的docker容器:

 docker run --name some_container_1 -p 8080:80 -d some_image

运行正常。容器将其端口 80 公开到 8080,可从本地主机访问。

然而由于某种原因,它完全忽略了 INPUT iptables 规则,并且可以从外部访问。

如何限制对我的 Docker 容器的访问以仅允许 IP 123.456.789.0 从外部访问它?

谢谢。


sudo iptables -L -n -v --行号

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
2      365 23380 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
4        7   788 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
5        7   788 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1       24  1524 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3       15 13320 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 204 packets, 21792 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       24  1524 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:80

sudo iptables-保存

# Generated by iptables-save v1.4.21 on Wed Apr  8 23:37:43 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100:16642]
:DOCKER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Wed Apr  8 23:37:43 2015
# Generated by iptables-save v1.4.21 on Wed Apr  8 23:37:43 2015
*nat
:PREROUTING ACCEPT [13:2206]
:INPUT ACCEPT [1:64]
:OUTPUT ACCEPT [4:268]
:POSTROUTING ACCEPT [4:268]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80
COMMIT
# Completed on Wed Apr  8 23:37:43 2015

docker 信息

Containers: 1
Images: 25
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 27
Execution Driver: native-0.2
Kernel Version: 3.16.0-4-amd64
Operating System: Debian GNU/Linux 8 (jessie)
CPUs: 4
Total Memory: 7.746 GiB
Name: nuc-001
ID: WCMU:MN3T:VFKR:IU42:6423:OEI6:IB5Q:WBNV:K75H:JZDS:UWU5:57WD
WARNING: No memory limit support
WARNING: No swap limit support

答案1

在内部,Docker 使用 iptables 将端口 8080 上的 docker 主机连接转发到容器上监听端口 80 的服务。配置中的关键是这一行 -

-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80

通过插入(-I)新的转发行,您可以阻止连接转发到容器 IP,在本例中为 172.17.0.2。尝试此规则 -

/sbin/iptables -I FORWARD '!' -s 123.456.789.0 -d 172.17.0.2 -p tcp --dport 80 -j DROP

答案2

您可以将端口绑定到本地计算机。这样 docker 就不会将端口暴露给外部。(iptables)

docker run -p 127.0.0.1:8080:8080 some_image

相关内容