我有一个问题,尽管 iptables 配置旨在限制访问,但暴露给我们系统上运行在 docker 容器中的应用程序的端口仍然对世界开放。
在我看来,问题可能与 docker 守护进程在启动时向 iptables 添加规则有关。我也知道的标志--icc=true|false,--ip-forward=true|false而--iptables=true|false但我不知道我应该将这些标志的组合。我试过了--icc=false,--ip-forward=false但都没有达到预期的效果。我不喜欢使用,--iptables=false因为 docker 守护进程显然添加了许多规则,如果仍然需要它们,我必须手动配置。
这是 docker 守护进程启动之前的规则状态:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- !lo any anywhere loopback/8 reject-with icmp-port-unreachable
0 0 DROP tcp -- any any anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
0 0 DROP all -f any any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
82 8831 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports ssh
0 0 ACCEPT tcp -- any any <IP ADDRESS RANGE 1> anywhere multiport dports ssh,http,https,7990,7999,tproxy,8090,8095,18080
0 0 ACCEPT tcp -- any any <IP ADDRESS RANGE 2> anywhere multiport dports ssh,http,https,7990,7999,tproxy,8090,8095,18080
0 0 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 2489 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
77 10080 ACCEPT all -- any any anywhere anywhere
这就是运行 docker 守护进程的情况:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- !lo any anywhere loopback/8 reject-with icmp-port-unreachable
0 0 DROP tcp -- any any anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
0 0 DROP all -f any any anywhere anywhere
0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
1335 230K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1 32 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
7 380 ACCEPT tcp -- any any anywhere anywhere multiport dports ssh
0 0 ACCEPT tcp -- any any <IP ADDRESS RANGE 1> anywhere multiport dports ssh,http,https,7990,7999,tproxy,8090,8095,18080
0 0 ACCEPT tcp -- any any <IP ADDRESS RANGE 2> anywhere multiport dports ssh,http,https,7990,7999,tproxy,8090,8095,18080
35 2016 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
62 3672 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
54492 21M DOCKER all -- any docker0 anywhere anywhere
51882 20M ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
58371 9122K ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 DROP all -- docker0 docker0 anywhere anywhere
1186 121K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2090 263K ACCEPT all -- any any anywhere anywhere
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
86 7048 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:7990
1639 395K ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:7999
791 151K ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.3 tcp dpt:http-alt
20 1898 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.4 tcp dpt:8090
49 4561 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.5 tcp dpt:18080
25 3642 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.6 tcp dpt:8095
还有一些 POSTROUTING & MASQUERADE 规则,它们不会用 显示iptables -L,只有当您使用iptables-save. 我也不确定这些的重要性。
我怀疑 FORWARD 链中的 DOCKER 目标规则是问题的根源,但我看不出如何解决这个问题,因为它似乎是由 docker 守护程序插入链的开头。
那么,任何人都可以告诉我我需要做些什么来确保在运行 docker 时端口 7990、8090 等不会暴露给世界?
谢谢
理查德
该DOCKER链是在 FORWARD 链中定义的自定义链。当数据包any到达接口并绑定到 docker0 桥接接口时,它会被发送到自定义 DOCKER 链。
pkts 字节目标 prot 选择退出源目标 54492 21M DOCKER all -- 任何地方的任何 docker0
现在 DOCKER 链将接收所有传入的数据包,除了来自 docker0 的数据包,并将它们发送到容器 IP (172.xxx) 和端口,在本例中为 7990。
pkts 字节目标 prot 选择退出源目标 86 7048 接受 tcp -- !docker0 docker0 任何地方 172.17.0.2 tcp dpt:7990
如果您要发布 的输出iptables -t nat -L -n,您会看到DNAT执行主机到容器端口转发的规则,比如到达 49154 主机接口的数据包将被端口转发到容器 IP 172.17.0.2 和端口 7990。
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:49154 到:172.17.0.2:7990
例如,您可以通过将任何 0.0.0.0 的源 IP 限制为仅允许来自内部网络的数据包来阻止数据包到达容器。要仅允许从内部网络(例如 192.168.1.0/24)连接到 7990 的容器端口,您可以运行以下命令 -
/sbin/iptables -I FORWARD '!' -s 192.168.1.0/24 -d 172.17.0.2 -p tcp --dport 7990 -j DROP
这将阻止将任何数据包转发到指定 IP:Port 的容器,除非它们来自内部网络。您可以根据您的设置修改源/目标 IP 和端口。
| 归档时间: |
|
| 查看次数: |
4631 次 |
| 最近记录: |