如何防止 iptables 中的遠端訪問

我已經使用 docker-compose 設置了 iptables，但是我只將我想要的 ip 地址列入白名單似乎不起作用，因為伺服器仍在進行遠端訪問嘗試：

Connection matched pg_hba.conf line 95: "host all all all md5"
2021-09-01 21:36:42.132 UTC [8821] FATAL:  password authentication failed for user "postgres"
2021-09-01 21:36:42.132 UTC [8821] DETAIL:  Role "postgres" does not exist.

如何修復我的 iptables 以正確設置？我在這裡做錯了什麼？

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT (where x is removed ip addresses)
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -j DOCKER
-A FORWARD -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -i br-1de8a78b46b8 -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -m iprange --src-range 82.208.14.110-82.208.14.119 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.18.0.2/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 2368 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5900 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 4444 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9300 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1de8a78b46b8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

編輯：

這是我的 docker-compose 配置：

 postgres:
   image: "postgres:12.1"
   env_file:
     - '.env'
   ports:
     - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

   restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
   stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
   volumes:
     - postgres:/var/lib/postgresql/data
     - /opt/ghost_postgres:/var/lib/postgres
   networks: 
     - esnet

 redis:
   image: redis:5.0.6-alpine
   command: redis-server --requirepass "${REDIS_PASS}"
   restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
   stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
   ports:
     - '6379:6379'
   volumes:
     - redis:/var/lib/redis/data
   networks: 
     - esnet


 prosebit:
   build: 
     context: "."
     args:
       - "FLASK_ENV=${FLASK_ENV:-production}"
       - "NODE_ENV=${NODE_ENV:-production}"
   depends_on:
     - "postgres"
     - "redis"
   env_file:
     - ".env"
   ports:
     - "${DOCKER_WEB_PORT:-127.0.0.1:8000}:8000"
   restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
   stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
   volumes:
     - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
   networks:
     - esnet
     
 web: 
   depends_on:
     - prosebit
   restart: always
   build:
     context: ../nginx #added /deploy for development, remove for production
     dockerfile: Dockerfile
   volumes:
     ...
   ports:
     - 80:80
     - 443:443
   networks:
     - "esnet"


 celery:
   build: 
     context: "."
     args: 
       - "FLASK_ENV=${FLASK_ENV:-production}"
       - "NODE_ENV=${NODE_ENV:-production}"
   command: celery worker -B -l info -A 
   env_file:
     - '.env'
   depends_on:
     - "postgres"
     - "redis"
   env_file:
     - ".env"
   restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
   stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
   volumes:
     - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
   networks:
     - "esnet"

Docker 在防火牆本身中打開埠，因為您的 docker-compose.yml 明確請求將埠 5432 暴露給世界。

   ports:
     - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

目前尚不清楚為什麼會以任何形式出現在這裡。請記住，同一個服務network總是可以相互訪問，不需要ports指定。僅指定ports允許從外部訪問。

PS：您還向世界公開了您的 redis 容器，這可能也不是您想要的。

引用自：https://serverfault.com/questions/1076367