众所周知,当 Docker 在主机上运行时,iptables 规则很难设置,我想我在这篇精彩的博客文章中找到了一个明确的解决方案:https : //unrouted.io/2017/08/15/docker-firewall/
这篇博文中描述的配置已经为我服务了很长时间,但我现在面临一个我以前从未遇到过的问题。
我正在运行一个 docker 容器,它在主机的端口 465 上公开服务。端口 465 映射到容器中的端口 25。以下是模拟此类服务的方法:
$ docker run --rm -it -p 465:25 python:3.6 python3 -m http.server 25
我的问题是我无法从外部访问服务器上的端口 465:
$ curl mydomain.com:465
curl: (7) Failed to connect to mydomain.com port 465: No route to host
然而,有趣的部分来了,如果主机上的端口映射到容器中的相同端口,我确实设法访问该服务。换句话说,当我在主机上运行时:
$ docker run --rm -it -p 465:465 python:3.6 python3 -m http.server 465
然后我可以从外部访问该服务:
$ curl mydomain.com:465
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org...
这整个问题是由于我的 iptables 定义造成的:我知道这是因为当我刷新 iptables 规则时,我确实设法从外部访问服务,无论端口映射如何。
这是我的 iptable 规则:
*filter
# Source: https://unrouted.io/2017/08/15/docker-firewall/
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
-F INPUT
-F DOCKER-USER
-F FILTERS
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -j FILTERS
-A DOCKER-USER -i eth0 -j FILTERS
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A FILTERS -j REJECT --reject-with icmp-host-prohibited
COMMIT
无论端口映射如何,我应该如何修改我的 iptables 以便我可以从外部访问我的容器?
编辑:
以下是失败场景(465:25映射)中完整的 iptables 规则:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- loopback/8 anywhere reject-with icmp-port-unreachable
ACCEPT icmp -- anywhere anywhere icmp any
FILTERS all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.19.0.4 tcp dpt:3000
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:smtp
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
FILTERS all -- anywhere anywhere
Chain FILTERS (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:urd
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
小智 5
感谢您在 Twitter 上与我联系。事实上,我之前已经研究过这个问题,没有其他人注意到它,我想我知道发生了什么。在你的例子中:
docker run --rm -it -p 465:25 python:3.6 python3 -m http.server 25
如果您查看完整的防火墙配置,iptables-save您会看到一堆 NAT 规则。您可能会在本节中看到类似这样的内容*nat:
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
... snip ...
-A DOCKER ! -i br-abbaabbaabba -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.18.0.10:25
因此,该规则在阶段中执行PREROUTING,并重写传入数据包,使其看起来始终针对端口 25 而不是端口 465。这发生在表链filter运行之前INPUT。
所以我认为如果您允许流量到达端口 25,那么实际上您也可以访问端口465。显然您不想允许访问所有端口 25,因为这包括您主机的端口 25。
由于 Docker,您此时要做的所有常见技巧都变得更加困难。
您可以沿着显式优于隐式的路线,并拆分主机与 docker 规则:
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
-F INPUT
-F DOCKER-USER
-F FILTERS
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A INPUT -p icmp --icmp-type any -j ACCEPT
# Rules for services running on the host:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# Rules for services running in containers:
-A DOCKER-USER -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# This says dport 25, but is actually 465. Yay for prerouting + NAT.
# Service on real host port 25 should still be inaccessible because DOCKER-USER
# is only accessible via `FORWARD` and not `INPUT`...
-A DOCKER-USER -i eth0 -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A DOCKER-USER -j REJECT --reject-with icmp-host-prohibited
COMMIT
您允许流量到达端口 25 仍然令人不满意。
我相信现在 Docker 没有放入任何内容*raw,*mangle因此可以安全地在其中添加您自己的规则。显然这些表存在局限性(raw 是在连接跟踪之前,mangle 仅用于标记连接),所以这也不是很好。
最后,我认为conntrackiptables 模块可能有答案的唯一一件事是--ctorigdstport,但我自己从未尝试过。看看这个你可以尝试:
iptables -A FILTERS -p tcp --dport 25 -m conntrack --ctstate NEW --ctorigdstport 465 -j ACCEPT
看起来有点难看,但清楚地说明了正在发生的事情。如果您尝试这个并且它有效,请告诉我,我会考虑将其写下来/更新该博客文章。
| 归档时间: |
|
| 查看次数: |
2553 次 |
| 最近记录: |