Centos
iptables 阻止從主機訪問 docker 容器
我有阻止從主機訪問 DOCKER Container 的 iptables 規則(從外部網路訪問工作正常),這些規則大部分是由我的前同事編寫的,所以基本上我沒有編寫 iptables 規則的經驗
有人可以幫助我就我應該編輯/刪除/添加哪一行規則提供一些建議,這樣我就可以簡單地從主機捲曲我的 DOCKER 容器
這是我的 iptables 規則
-P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -N cphulk -N dynamic -N loc-fw -N loc_frwd -N logdrop -N logflags -N logreject -N net-fw -N net-loc -N net_frwd -N reject -N sha-lh-f039fe5b47b48a558b61 -N sha-rh-5f1a9db64e7d114e7d5b -N shorewall -N smurflog -N smurfs -N tcpflags -A INPUT -j cphulk -A INPUT -i eth0 -j net-fw -A INPUT -i eth1 -j loc-fw -A INPUT -i lo -j ACCEPT -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP -A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "INPUT REJECT " --log-level 6 -A INPUT -g reject -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o br-d7d9cacee34d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-d7d9cacee34d -j DOCKER -A FORWARD -i br-d7d9cacee34d ! -o br-d7d9cacee34d -j ACCEPT -A FORWARD -i br-d7d9cacee34d -o br-d7d9cacee34d -j ACCEPT -A FORWARD -o br-72d36b8824e3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-72d36b8824e3 -j DOCKER -A FORWARD -i br-72d36b8824e3 ! -o br-72d36b8824e3 -j ACCEPT -A FORWARD -i br-72d36b8824e3 -o br-72d36b8824e3 -j ACCEPT -A FORWARD -i eth0 -j net_frwd -A FORWARD -i eth1 -j loc_frwd -A FORWARD -m addrtype --dst-type BROADCAST -j DROP -A FORWARD -m addrtype --dst-type ANYCAST -j DROP -A FORWARD -m addrtype --dst-type MULTICAST -j DROP -A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "FORWARD REJECT " --log-level 6 -A FORWARD -g reject -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1337 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-d7d9cacee34d ! -o br-d7d9cacee34d -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i br-72d36b8824e3 ! -o br-72d36b8824e3 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-d7d9cacee34d -j DROP -A DOCKER-ISOLATION-STAGE-2 -o br-72d36b8824e3 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T21:20:09 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T21:39:50 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:04:17 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:04:18 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:13:35 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T23:25:36 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T02:26:53 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T02:26:54 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T03:21:43 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T07:59:55 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T15:33:49 -j DROP -A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T16:09:47 -j DROP -A loc-fw -j dynamic -A loc-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A loc-fw -p tcp -j tcpflags -A loc-fw -j ACCEPT -A loc_frwd -j dynamic -A loc_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A loc_frwd -p tcp -j tcpflags -A loc_frwd -o eth0 -j ACCEPT -A logdrop -j DROP -A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags DROP " --log-level 6 --log-ip-options -A logflags -j DROP -A logreject -j reject -A net-fw -j dynamic -A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs -A net-fw -p udp -m udp --dport 67:68 -j ACCEPT -A net-fw -p tcp -j tcpflags -A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A net-fw -p icmp -m icmp --icmp-type 8 -j ACCEPT -A net-fw -p tcp -m multiport --dports 22,53,80,443,10000,3306,5500,2087,2083,21,110,995,993,25,465 -j ACCEPT -A net-fw -p tcp -m multiport --dports 587,2096,5432,8080 -j ACCEPT -A net-fw -p tcp -m multiport --dports 8181 -j ACCEPT -A net-fw -p udp -m udp --dport 53 -j ACCEPT -A net-fw -m addrtype --dst-type BROADCAST -j DROP -A net-fw -m addrtype --dst-type ANYCAST -j DROP -A net-fw -m addrtype --dst-type MULTICAST -j DROP -A net-fw -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-fw DROP " --log-level 6 -A net-fw -j DROP -A net-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A net-loc -p icmp -m icmp --icmp-type 8 -j ACCEPT -A net-loc -m addrtype --dst-type BROADCAST -j DROP -A net-loc -m addrtype --dst-type ANYCAST -j DROP -A net-loc -m addrtype --dst-type MULTICAST -j DROP -A net-loc -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-loc DROP " --log-level 6 -A net-loc -j DROPn -A reject -m addrtype --src-type BROADCAST -j DROP -A reject -s 224.0.0.0/4 -j DROP -A reject -p igmp -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource -A smurflog -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "smurfs DROP " --log-level 6 -A smurflog -j DROP -A smurfs -s 0.0.0.0/32 -j RETURN -A smurfs -m addrtype --src-type BROADCAST -g smurflog -A smurfs -s 224.0.0.0/4 -g smurflog -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
謝謝
通過添加解決了我的問題
iptables -I INPUT 2 -i docker0 -j ACCEPT