ubuntu18.04对docker映射的宿主机端口进行访问限制

前言：ubuntu系统启动docker容器，对外暴露访问端口，直接做iptables限制无效，需要在DOCKER-USER表进行操作，使用iptables-persistent保存iptables表，重启后规则依然生效。

例子：

本地机器ubuntu18.04（机器A）
IP: 192.168.5.20
运行nginx对外暴露的808端口，内部端口80。通过DOCKER-USER表写入限制80端口的访问规则。
ubuntu18.04更改管理iptables，需要安装 iptables-persistent工具。

sudo apt install iptables-persistent

首先安装docker，运行nginx，查看默认的iptables表：

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.3           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
starcloud@starcloud:~$


只查看DOCKER-USER表
starcloud@starcloud:~$ sudo iptables -nL DOCKER-USER
Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
starcloud@starcloud:~$

操作如下：

添加访问限制规则（开放ip192.168.5.8访问容器中的nginx）：

starcloud@starcloud:~$ docker ps -a|grep nginx
621488021dce        nginx:stable-alpine             "nginx -g 'daemon of…"   4 months ago        Up 24 minutes             0.0.0.0:808->80/tcp                                nginx
starcloud@starcloud:~$

另一台ubuntu18.04(ip:192.168.5.10,机器B)此时正常访问：

starcloud@starcloud:~$ curl  192.168.5.20:808
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

机器A(192.168.5.20)在DOCKER-USER表设置iptables规则：

查看默认的DOCKER-USER规则：
starcloud@starcloud:~$ sudo iptables -nL DOCKER-USER --line-number
Chain DOCKER-USER (1 references)
num  target     prot opt source               destination
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

限制访问规则，在设置丢弃规则
starcloud@starcloud:~$ sudo iptables -I DOCKER-USER -p tcp --dport 80 -j DROP
starcloud@starcloud:~$ sudo iptables -nL DOCKER-USER --line-number
Chain DOCKER-USER (1 references)
num  target     prot opt source               destination
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
2    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

如要删除规则：
starcloud@starcloud:~$sudo iptables -D DOCKER-USER 1

此时机器B无法访问机器A的nginx：

starcloud@starcloud:~$ curl  192.168.5.20:808

设置运行机器B（192.168.5.10）访问机器A的nginx：

starcloud@starcloud:~$ sudo iptables -I DOCKER-USER -p tcp -s 192.168.5.10 --dport 80 -j ACCEPT
starcloud@starcloud:~$ sudo iptables -nL DOCKER-USER --line-number
Chain DOCKER-USER (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  192.168.5.10         0.0.0.0/0            tcp dpt:80
2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
3    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

starcloud@starcloud:~$

ps iptables -I 与 iptables -A 区别，iptables -I 规则从顶部插入，iptables -A 从底部插入。iptables规则的有效性： iptables 是由上而下的进行规则匹配，放行规则需在禁行规则之前才能生效。

此时，机器B能正常访问到机器A:

starcloud@starcloud:~$ curl  192.168.5.20:808
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

iptables规则永久保存，重启后依旧生效：

starcloud@starcloud:~$ sudo netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save

starcloud@starcloud:~$ sudo netfilter-persistent start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start

starcloud@starcloud:~$ sudo cat /etc/iptables/rules.v4 |grep 192.168.5.10
-A DOCKER-USER -s 192.168.5.10/32 -p tcp -m tcp --dport 80 -j ACCEPT
starcloud@starcloud:~$