服务端: 192.168.0.105
客户端测试1: 192.168.0.104
客户端测试2: 192.168.0.107
- 在服务端192.168.0.105启动一个测试容器
# docker run -d --name rabbitmq -p 5672:5672 -p 15672:15672 --privileges=true rabbitmq:3-management
# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9ebf3052bd79 rabbitmq:3-management "docker-entrypoint.s…" 23 hours ago Up 5 minutes 4369/tcp, 5671/tcp, 0.0.0.0:5672->5672/tcp, 15671/tcp, 15691-15692/tcp, 25672/tcp, 0.0.0.0:15672->15672/tcp rabbitmq
# iptables -nvL --line
Chain INPUT (policy ACCEPT 433 packets, 31389 bytes)
num pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 37 2020 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
2 37 2020 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
3 16 856 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 4 240 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
5 17 924 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 233 packets, 21556 bytes)
num pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
num pkts bytes target prot opt in out source destination
1 2 120 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:15672
2 2 120 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:5672
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 17 924 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2 37 2020 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
2 17 924 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num pkts bytes target prot opt in out source destination
1 37 2020 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
客户端测试1: 192.168.0.104

客户端测试2: 192.168.0.107

策略1(基于DOCKER链,指定网卡名)
# cat gen_iptables
#!/bin/bash
nic="ens33"
ips="
127.0.0.1
192.168.0.104
"
echo "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
echo "iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT"
echo "iptables -I DOCKER -i ${nic} -p tcp --dport 1:65535 -j DROP"
echo "iptables -I DOCKER -i ${nic} -p udp --dport 1:65535 -j DROP"
for ip in ${ips[@]}
do
echo "iptables -I DOCKER -i ${nic} -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done
for ip in ${ips[@]}
do
echo "iptables -I DOCKER -i ${nic} -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT
iptables -I DOCKER -i ens33 -p tcp --dport 1:65535 -j DROP
iptables -I DOCKER -i ens33 -p udp --dport 1:65535 -j DROP
iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT
# iptables -nvL --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 65 4692 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 37 2020 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
2 37 2020 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
3 16 856 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 4 240 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
5 17 924 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 31 packets, 2832 bytes)
num pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- ens33 * 192.168.0.104 0.0.0.0/0 tcp dpts:1:65535
2 0 0 ACCEPT tcp -- ens33 * 127.0.0.1 0.0.0.0/0 tcp dpts:1:65535
3 0 0 ACCEPT tcp -- ens33 * 192.168.0.104 0.0.0.0/0 tcp dpts:1:65535
4 0 0 ACCEPT tcp -- ens33 * 127.0.0.1 0.0.0.0/0 tcp dpts:1:65535
5 0 0 DROP udp -- ens33 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535
6 0 0 DROP tcp -- ens33 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535
7 2 120 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:15672
8 2 120 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:5672
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 17 924 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2 37 2020 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
2 17 924 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num pkts bytes target prot opt in out source destination
1 37 2020 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
// 容器内部跟外部通讯回包不受影响
# docker exec -it xxxxxx bash
root@xxxxxx:/# echo > /dev/tcp/www.baidu.com/443
客户端测试1: 192.168.0.104

客户端测试2: 192.168.0.107

策略2(基于DOCKER链,不指定网卡名)
# cat gen_iptables
#!/bin/bash
ips="
127.0.0.1
192.168.0.104
"
echo "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
echo "iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT"
echo "iptables -I DOCKER -p tcp --dport 1:65535 -j DROP"
echo "iptables -I DOCKER -p udp --dport 1:65535 -j DROP"
for ip in ${ips[@]}
do
echo "iptables -I DOCKER -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done
for ip in ${ips[@]}
do
echo "iptables -I DOCKER -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT
iptables -I DOCKER -i ens33 -p tcp --dport 1:65535 -j DROP
iptables -I DOCKER -i ens33 -p udp --dport 1:65535 -j DROP
iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT
# iptables -nvL --line
Chain INPUT (policy ACCEPT 99 packets, 7722 bytes)
num pkts bytes target prot opt in out source destination
1 167 11724 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 62 3459 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
2 62 3459 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
3 26 1393 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 9 540 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
5 27 1526 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 83 packets, 7888 bytes)
num pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
num pkts bytes target prot opt in out source destination
1 2 120 ACCEPT tcp -- * * 192.168.0.104 0.0.0.0/0 tcp dpts:1:65535
2 0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpts:1:65535
3 0 0 ACCEPT tcp -- * * 192.168.0.104 0.0.0.0/0 tcp dpts:1:65535
4 0 0 ACCEPT tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpts:1:65535
5 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:1:65535
6 3 180 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:65535
7 2 120 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:15672
8 2 120 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:5672
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num pkts bytes target prot opt in out source destination
1 27 1526 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2 62 3459 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
2 27 1526 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num pkts bytes target prot opt in out source destination
1 62 3459 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
// 容器内部跟外部通讯回包不受影响
# docker exec -it xxxxxx bash
root@xxxxxx:/# echo > /dev/tcp/www.baidu.com/443
客户端测试1: 192.168.0.104

客户端测试2: 192.168.0.107

参考
浅谈容器网络原理
https://mp.weixin.qq.com/s/vn1F783aNFFX1LGHhFYJDQ
聊聊 Docker 容器网络和 IPtables 间的亲密关系
https://mp.weixin.qq.com/s/Spl9h3ajdO2bn8LhAMo3Ag
docker 映射出来的端口如何写 iptables 规则
https://mp.weixin.qq.com/s/AC0dWjewU_Dam7wSOKeOhQ
网友评论