我在 Ubuntu 22.04.2 下运行一个 docker 服务器,它有多个 ip 地址和容器。
在我的日志文件中,我看到一个外部 IP 正在尝试连接到在 docker 容器中运行的 minecraft 服务器。
我添加了以下规则:
iptables -F INPUT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -A INPUT -s [IP-TO-BLOCK] -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 8880 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 1] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 1] --dport 25565 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 10011 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 30033 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 2] --dport 9987 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 2] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 2] --dport 25565 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 3] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d [SERVER-IP 3] --dport 25565 -j ACCEPT
iptables -A INPUT -p udp -d [SERVER-IP 3] --dport 25565 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 1] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 1] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 2] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 2] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -d [SERVER-IP 3] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -d [SERVER-IP 3] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -P INPUT DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s [SERVER-IP 1] -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -s [SERVER-IP 1] -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-ISOLATION-STAGE-1 -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-ISOLATION-STAGE-2 -s [IP-TO-BLOCK] -j DROP
iptables -A DOCKER-USER -s [IP-TO-BLOCK] -j DROP
iptables-save > /etc/iptables.up.rules
我的 iptables 配置(iptables -L)如下所示:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- [IP-TO-BLOCK] anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere localhost/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:http
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:https
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:8443
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:http-alt
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:tproxy
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:8880
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 1] tcp dpt:25565
ACCEPT udp -- anywhere [SERVER-HOSTNAME 1] udp dpt:25565
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 2] tcp dpt:http
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 2] tcp dpt:10011
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 2] tcp dpt:30033
ACCEPT udp -- anywhere [SERVER-HOSTNAME 2] udp dpt:9987
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 2] tcp dpt:25565
ACCEPT udp -- anywhere [SERVER-HOSTNAME 2] udp dpt:25565
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 3] tcp dpt:http
ACCEPT tcp -- anywhere [SERVER-HOSTNAME 3] tcp dpt:25565
ACCEPT udp -- anywhere [SERVER-HOSTNAME 3] udp dpt:25565
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 1] icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 1] icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 2] icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 2] icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 3] icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere [SERVER-HOSTNAME 3] icmp echo-request state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- [IP-TO-BLOCK] anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- [SERVER-HOSTNAME 1] anywhere icmp echo-reply state RELATED,ESTABLISHED
ACCEPT icmp -- [SERVER-HOSTNAME 1] anywhere icmp echo-request state NEW,RELATED,ESTABLISHED
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:30033
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:10011
ACCEPT udp -- anywhere 172.17.0.2 udp dpt:9987
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:9443
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:25565
ACCEPT udp -- anywhere 172.17.0.6 udp dpt:25565
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:25565
ACCEPT udp -- anywhere 172.17.0.7 udp dpt:25565
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.8 tcp dpt:25565
ACCEPT udp -- anywhere 172.17.0.8 udp dpt:25565
ACCEPT tcp -- anywhere 172.17.0.8 tcp dpt:http
DROP all -- [IP-TO-BLOCK] anywhere
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
DROP all -- [IP-TO-BLOCK] anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
DROP all -- [IP-TO-BLOCK] anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DROP all -- [IP-TO-BLOCK] anywhere
docker 链是自动创建的,我只需添加 [IP-TO-BAN]。
但是我在日志文件中看到 [IP-TO-BAN] 仍尝试连接到 docker 容器中的 minecraft 服务器。
在我的 minecraft 日志中我仍然看到以下几行:
[22:35:16] [Server thread/INFO]: com.mojang.authlib.GameProfile@7cb52cb8[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:59866) lost connection: Disconnected
[22:35:40] [Server thread/INFO]: com.mojang.authlib.GameProfile@2d49849a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:54582) lost connection: Disconnected
[22:36:03] [Server thread/INFO]: com.mojang.authlib.GameProfile@38f37b9a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:51052) lost connection: Disconnected
[22:36:18] [Server thread/INFO]: com.mojang.authlib.GameProfile@5f67d6d9[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:14578) lost connection: Disconnected
[22:36:42] [Server thread/INFO]: com.mojang.authlib.GameProfile@25321094[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:39670) lost connection: Disconnected
[22:37:04] [Server thread/INFO]: com.mojang.authlib.GameProfile@48c34dfd[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:31538) lost connection: Disconnected
[22:37:26] [Server thread/INFO]: com.mojang.authlib.GameProfile@12e6b98f[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:29874) lost connection: Disconnected
[22:37:47] [Server thread/INFO]: com.mojang.authlib.GameProfile@73d66414[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:63730) lost connection: Disconnected
[22:38:11] [Server thread/INFO]: com.mojang.authlib.GameProfile@46d56c4a[id=<null>,name=bfj_gj_bac_jh,properties={},legacy=false] (/[IP-TO-BAN]:27370) lost connection: Disconnected
我究竟做错了什么?
感谢您的帮助!