我正在尝试执行以下操作:
- 阻止所有内部流量
- 仅当 IP 为 XXXX 时才允许访问端口 81、82
- 允许所有流量出站,包括端口 22
我认为它已经工作了,但是现在我无法 telnet 到端口 22,因为它被阻止了:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -s 10.0.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-007253d18d56 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-007253d18d56 -j DOCKER
-A FORWARD -i br-007253d18d56 ! -o br-007253d18d56 -j ACCEPT
-A FORWARD -i br-007253d18d56 -o br-007253d18d56 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.20.0.3/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.20.0.6/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-007253d18d56 ! -o br-007253d18d56 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-007253d18d56 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -p tcp -m multiport --dports 81:82 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN
更新规则:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-378207e135f2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-378207e135f2 -j DOCKER
-A FORWARD -i br-378207e135f2 ! -o br-378207e135f2 -j ACCEPT
-A FORWARD -i br-378207e135f2 -o br-378207e135f2 -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -j DOCKER
-A FORWARD -i br-465a6988e9e5 ! -o br-465a6988e9e5 -j ACCEPT
-A FORWARD -i br-465a6988e9e5 -o br-465a6988e9e5 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.19.0.5/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-378207e135f2 ! -o br-378207e135f2 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-378207e135f2 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -i eth1 -p tcp -m multiport --dports 81:82 -j DROP
-A DOCKER-USER -j RETURN
答案1
最好知道接口的连接状态。
这可能是最好的镜头,但可能不是最佳的
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-378207e135f2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-378207e135f2 -j DOCKER
-A FORWARD -i br-378207e135f2 ! -o br-378207e135f2 -j ACCEPT
-A FORWARD -i br-378207e135f2 -o br-378207e135f2 -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -j DOCKER
-A FORWARD -i br-465a6988e9e5 ! -o br-465a6988e9e5 -j ACCEPT
-A FORWARD -i br-465a6988e9e5 -o br-465a6988e9e5 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.19.0.5/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-378207e135f2 ! -o br-378207e135f2 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-378207e135f2 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER-USER -j RETURN
如果您需要允许多个 IP 地址,则可以使用ipset
:
创造ipset
ipset create allowed hash:ip
并添加您的 IP 地址
ipset add allowed 10.0.0.1
最后将规则输入到iptables
-A INPUT -p tcp --dport 81 -m set --match-set allowed src -j ACCEPT
-A INPUT -p tcp --dport 82 -m set --match-set allowed src -j ACCEPT