Centos

iptables 阻止從主機訪問 docker 容器

  • April 8, 2021

我有阻止從主機訪問 DOCKER Container 的 iptables 規則(從外部網路訪問工作正常),這些規則大部分是由我的前同事編寫的,所以基本上我沒有編寫 iptables 規則的經驗

有人可以幫助我就我應該編輯/刪除/添加哪一行規則提供一些建議,這樣我就可以簡單地從主機捲曲我的 DOCKER 容器

這是我的 iptables 規則

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N cphulk
-N dynamic
-N loc-fw
-N loc_frwd
-N logdrop
-N logflags
-N logreject
-N net-fw
-N net-loc
-N net_frwd
-N reject
-N sha-lh-f039fe5b47b48a558b61
-N sha-rh-5f1a9db64e7d114e7d5b
-N shorewall
-N smurflog
-N smurfs
-N tcpflags
-A INPUT -j cphulk
-A INPUT -i eth0 -j net-fw
-A INPUT -i eth1 -j loc-fw
-A INPUT -i lo -j ACCEPT
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "INPUT REJECT " --log-level 6
-A INPUT -g reject
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-d7d9cacee34d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-d7d9cacee34d -j DOCKER
-A FORWARD -i br-d7d9cacee34d ! -o br-d7d9cacee34d -j ACCEPT
-A FORWARD -i br-d7d9cacee34d -o br-d7d9cacee34d -j ACCEPT
-A FORWARD -o br-72d36b8824e3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-72d36b8824e3 -j DOCKER
-A FORWARD -i br-72d36b8824e3 ! -o br-72d36b8824e3 -j ACCEPT
-A FORWARD -i br-72d36b8824e3 -o br-72d36b8824e3 -j ACCEPT
-A FORWARD -i eth0 -j net_frwd
-A FORWARD -i eth1 -j loc_frwd
-A FORWARD -m addrtype --dst-type BROADCAST -j DROP
-A FORWARD -m addrtype --dst-type ANYCAST -j DROP
-A FORWARD -m addrtype --dst-type MULTICAST -j DROP
-A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "FORWARD REJECT " --log-level 6
-A FORWARD -g reject
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1337 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-d7d9cacee34d ! -o br-d7d9cacee34d -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-72d36b8824e3 ! -o br-72d36b8824e3 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-d7d9cacee34d -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-72d36b8824e3 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T21:20:09 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T21:39:50 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:04:17 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:04:18 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T22:13:35 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-30T23:25:36 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T02:26:53 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T02:26:54 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T03:21:43 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T07:59:55 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T15:33:49 -j DROP
-A cphulk -s xxxxxxx/32 -m state --state NEW -m time --datestop 2021-03-31T16:09:47 -j DROP
-A loc-fw -j dynamic
-A loc-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A loc-fw -p tcp -j tcpflags
-A loc-fw -j ACCEPT
-A loc_frwd -j dynamic
-A loc_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A loc_frwd -p tcp -j tcpflags
-A loc_frwd -o eth0 -j ACCEPT
-A logdrop -j DROP
-A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags DROP " --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net-fw -j dynamic
-A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
-A net-fw -p udp -m udp --dport 67:68 -j ACCEPT
-A net-fw -p tcp -j tcpflags
-A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 22,53,80,443,10000,3306,5500,2087,2083,21,110,995,993,25,465 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 587,2096,5432,8080 -j ACCEPT
-A net-fw -p tcp -m multiport --dports 8181 -j ACCEPT
-A net-fw -p udp -m udp --dport 53 -j ACCEPT
-A net-fw -m addrtype --dst-type BROADCAST -j DROP
-A net-fw -m addrtype --dst-type ANYCAST -j DROP
-A net-fw -m addrtype --dst-type MULTICAST -j DROP
-A net-fw -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-fw DROP " --log-level 6
-A net-fw -j DROP
-A net-loc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net-loc -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net-loc -m addrtype --dst-type BROADCAST -j DROP
-A net-loc -m addrtype --dst-type ANYCAST -j DROP
-A net-loc -m addrtype --dst-type MULTICAST -j DROP
-A net-loc -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-loc DROP " --log-level 6
-A net-loc -j DROPn
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource
-A smurflog -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "smurfs DROP " --log-level 6
-A smurflog -j DROP
-A smurfs -s 0.0.0.0/32 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -g smurflog
-A smurfs -s 224.0.0.0/4 -g smurflog
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags

謝謝

通過添加解決了我的問題

iptables -I INPUT 2 -i docker0 -j ACCEPT

引用自:https://serverfault.com/questions/1058868