【iptables】如果用iptables限制docker容器映

作者: Bogon | 来源:发表于2024-03-27 00:05 被阅读0次

docker容器iptables failed: iptable
ubuntu18.04对docker映射的宿主机端口进行访问限制
docker启动容器报错：iptables failed
Docker iptables failed
ubuntu20.04 ufw 无法管控docker映射端口的问
iptables快速上手
Docker配置防火墙
Centos7.4_iptables限制IP及端口.md
Docker前传之linux iptables
Failed to Setup IP tables

服务端： 192.168.0.105
客户端测试1： 192.168.0.104
客户端测试2： 192.168.0.107

在服务端192.168.0.105启动一个测试容器

# docker run -d  --name rabbitmq -p 5672:5672 -p 15672:15672    --privileges=true  rabbitmq:3-management

# docker ps -a

CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                                                                                                         NAMES
9ebf3052bd79        rabbitmq:3-management   "docker-entrypoint.s…"   23 hours ago        Up 5 minutes        4369/tcp, 5671/tcp, 0.0.0.0:5672->5672/tcp, 15671/tcp, 15691-15692/tcp, 25672/tcp, 0.0.0.0:15672->15672/tcp   rabbitmq


# iptables -nvL --line
Chain INPUT (policy ACCEPT 433 packets, 31389 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       37  2020 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       37  2020 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       16   856 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        4   240 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
5       17   924 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 233 packets, 21556 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:15672
2        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5672

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       17   924 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       37  2020 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2       17   924 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       37  2020 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

客户端测试1： 192.168.0.104

image.png

客户端测试2： 192.168.0.107

image.png

策略1（基于DOCKER链，指定网卡名）

# cat gen_iptables

#!/bin/bash

nic="ens33"

ips="
127.0.0.1
192.168.0.104
"


echo "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
echo "iptables -A INPUT -p tcp  -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT"


echo "iptables -I DOCKER  -i ${nic} -p tcp --dport 1:65535 -j DROP"
echo "iptables -I DOCKER  -i ${nic} -p udp --dport 1:65535 -j DROP"

for ip in ${ips[@]}
do
  echo "iptables -I DOCKER -i ${nic} -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done

for ip in ${ips[@]}
do
  echo "iptables -I DOCKER -i ${nic} -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp  -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT

iptables -I DOCKER  -i ens33 -p tcp --dport 1:65535 -j DROP
iptables -I DOCKER  -i ens33 -p udp --dport 1:65535 -j DROP

iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT

iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT

# iptables -nvL --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       65  4692 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       37  2020 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       37  2020 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       16   856 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        4   240 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
5       17   924 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 31 packets, 2832 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  ens33  *       192.168.0.104        0.0.0.0/0            tcp dpts:1:65535
2        0     0 ACCEPT     tcp  --  ens33  *       127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
3        0     0 ACCEPT     tcp  --  ens33  *       192.168.0.104        0.0.0.0/0            tcp dpts:1:65535
4        0     0 ACCEPT     tcp  --  ens33  *       127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
5        0     0 DROP       udp  --  ens33  *       0.0.0.0/0            0.0.0.0/0            udp dpts:1:65535
6        0     0 DROP       tcp  --  ens33  *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:65535
7        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:15672
8        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5672

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       17   924 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       37  2020 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2       17   924 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       37  2020 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

// 容器内部跟外部通讯回包不受影响
#  docker exec -it   xxxxxx   bash

root@xxxxxx:/# echo  > /dev/tcp/www.baidu.com/443

客户端测试1： 192.168.0.104

image.png

客户端测试2： 192.168.0.107

image.png

策略2（基于DOCKER链，不指定网卡名）

# cat gen_iptables

#!/bin/bash

ips="
127.0.0.1
192.168.0.104
"

echo "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
echo "iptables -A INPUT -p tcp  -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT"


echo "iptables -I DOCKER  -p tcp --dport 1:65535 -j DROP"
echo "iptables -I DOCKER  -p udp --dport 1:65535 -j DROP"

for ip in ${ips[@]}
do
  echo "iptables -I DOCKER -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done

for ip in ${ips[@]}
do
  echo "iptables -I DOCKER -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp  -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT
iptables -I DOCKER  -i ens33 -p tcp --dport 1:65535 -j DROP
iptables -I DOCKER  -i ens33 -p udp --dport 1:65535 -j DROP
iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT

# iptables -nvL --line
Chain INPUT (policy ACCEPT 99 packets, 7722 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      167 11724 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       62  3459 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       62  3459 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       26  1393 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        9   540 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
5       27  1526 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 83 packets, 7888 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        2   120 ACCEPT     tcp  --  *      *       192.168.0.104        0.0.0.0/0            tcp dpts:1:65535
2        0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
3        0     0 ACCEPT     tcp  --  *      *       192.168.0.104        0.0.0.0/0            tcp dpts:1:65535
4        0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
5        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:1:65535
6        3   180 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:65535
7        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:15672
8        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5672

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       27  1526 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       62  3459 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2       27  1526 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       62  3459 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

// 容器内部跟外部通讯回包不受影响
#  docker exec -it   xxxxxx   bash

root@xxxxxx:/# echo  > /dev/tcp/www.baidu.com/443

客户端测试1： 192.168.0.104

image.png

客户端测试2： 192.168.0.107

image.png

参考

浅谈容器网络原理
https://mp.weixin.qq.com/s/vn1F783aNFFX1LGHhFYJDQ

聊聊 Docker 容器网络和 IPtables 间的亲密关系
https://mp.weixin.qq.com/s/Spl9h3ajdO2bn8LhAMo3Ag

docker 映射出来的端口如何写 iptables 规则
https://mp.weixin.qq.com/s/AC0dWjewU_Dam7wSOKeOhQ

docker容器iptables failed: iptable
docker容器iptables failed: iptables --wait -t nat -A DOCKER...
ubuntu18.04对docker映射的宿主机端口进行访问限制
前言：ubuntu系统启动docker容器，对外暴露访问端口，直接做iptables限制无效，需要在DOCKER-...
docker启动容器报错：iptables failed
问题描述：启动Docker容器的时候，发现了一个很奇葩的现象：iptables failed: iptables...
Docker iptables failed
启动 docker 容器时报错，提示iptables failed 。 1.问题回顾 >docker contai...
ubuntu20.04 ufw 无法管控docker映射端口的问
需要关闭docker iptables功能，具体操作如下添加iptables规则删除iptables规则
iptables快速上手
iptabls 容器包含的管理 iptables是表的容器，表是链的容器 iptables包含的表 filter...
Docker配置防火墙
背景常见的Linux防火墙配置在iptables的INPUT链，而Docker容器不经过此链。在Docker版本...
Centos7.4_iptables限制IP及端口.md
使用iptables限制端口： https://www.centos.bz/2018/01/iptables%E6...
Docker前传之linux iptables
如果要深入了解docker的网络配置，那就得先了解iptables。本文接下来会从0到1的说说iptables。 ...
Failed to Setup IP tables
瞎折腾port forwarding，搞坏了iptables，误删了docker相关的规则。在启动容器的时候报错：...

【iptables】如果用iptables限制docker容器映

参考

相关文章

docker容器iptables failed: iptable

ubuntu18.04对docker映射的宿主机端口进行访问限制

docker启动容器报错：iptables failed

Docker iptables failed

ubuntu20.04 ufw 无法管控docker映射端口的问

iptables快速上手

Docker配置防火墙

Centos7.4_iptables限制IP及端口.md

Docker前传之linux iptables

Failed to Setup IP tables

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读