IPTables 阻止内部流量但允许所有传出流量

tag-icon tag-icon linux networking iptables docker linux-networking
IPTables 阻止内部流量但允许所有传出流量

我正在尝试执行以下操作:

  • 阻止所有内部流量
  • 仅当 IP 为 XXXX 时才允许访问端口 81、82
  • 允许所有流量出站,包括端口 22

我认为它已经工作了,但是现在我无法 telnet 到端口 22,因为它被阻止了:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -s 10.0.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-007253d18d56 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-007253d18d56 -j DOCKER
-A FORWARD -i br-007253d18d56 ! -o br-007253d18d56 -j ACCEPT
-A FORWARD -i br-007253d18d56 -o br-007253d18d56 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.20.0.3/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.20.0.6/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-007253d18d56 ! -o br-007253d18d56 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-007253d18d56 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -p tcp -m multiport --dports 81:82 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN

更新规则:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-378207e135f2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-378207e135f2 -j DOCKER
-A FORWARD -i br-378207e135f2 ! -o br-378207e135f2 -j ACCEPT
-A FORWARD -i br-378207e135f2 -o br-378207e135f2 -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -j DOCKER
-A FORWARD -i br-465a6988e9e5 ! -o br-465a6988e9e5 -j ACCEPT
-A FORWARD -i br-465a6988e9e5 -o br-465a6988e9e5 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.19.0.5/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-378207e135f2 ! -o br-378207e135f2 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-378207e135f2 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -i eth1 -p tcp -m multiport --dports 81:82 -j DROP
-A DOCKER-USER -j RETURN

答案1

最好知道接口的连接状态。

这可能是最好的镜头,但可能不是最佳的

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-378207e135f2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-378207e135f2 -j DOCKER
-A FORWARD -i br-378207e135f2 ! -o br-378207e135f2 -j ACCEPT
-A FORWARD -i br-378207e135f2 -o br-378207e135f2 -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -j DOCKER
-A FORWARD -i br-465a6988e9e5 ! -o br-465a6988e9e5 -j ACCEPT
-A FORWARD -i br-465a6988e9e5 -o br-465a6988e9e5 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.19.0.5/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-378207e135f2 ! -o br-378207e135f2 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-378207e135f2 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER-USER -j RETURN

如果您需要允许多个 IP 地址,则可以使用ipset

创造ipset

ipset create allowed hash:ip

并添加您的 IP 地址

ipset add allowed 10.0.0.1

最后将规则输入到iptables

-A INPUT -p tcp --dport 81 -m set --match-set allowed src -j ACCEPT
-A INPUT -p tcp --dport 82 -m set --match-set allowed src -j ACCEPT

相关内容