美文网首页
【iptables】如果用iptables限制docker容器映

【iptables】如果用iptables限制docker容器映

作者: Bogon | 来源:发表于2024-03-27 00:05 被阅读0次

服务端: 192.168.0.105
客户端测试1: 192.168.0.104
客户端测试2: 192.168.0.107

  1. 在服务端192.168.0.105启动一个测试容器
# docker run -d  --name rabbitmq -p 5672:5672 -p 15672:15672    --privileges=true  rabbitmq:3-management

# docker ps -a

CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                                                                                                         NAMES
9ebf3052bd79        rabbitmq:3-management   "docker-entrypoint.s…"   23 hours ago        Up 5 minutes        4369/tcp, 5671/tcp, 0.0.0.0:5672->5672/tcp, 15671/tcp, 15691-15692/tcp, 25672/tcp, 0.0.0.0:15672->15672/tcp   rabbitmq


# iptables -nvL --line
Chain INPUT (policy ACCEPT 433 packets, 31389 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       37  2020 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       37  2020 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       16   856 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        4   240 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
5       17   924 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 233 packets, 21556 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:15672
2        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5672

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       17   924 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       37  2020 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2       17   924 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       37  2020 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

客户端测试1: 192.168.0.104


image.png

客户端测试2: 192.168.0.107


image.png

策略1(基于DOCKER链,指定网卡名)

# cat gen_iptables

#!/bin/bash

nic="ens33"

ips="
127.0.0.1
192.168.0.104
"


echo "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
echo "iptables -A INPUT -p tcp  -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT"


echo "iptables -I DOCKER  -i ${nic} -p tcp --dport 1:65535 -j DROP"
echo "iptables -I DOCKER  -i ${nic} -p udp --dport 1:65535 -j DROP"

for ip in ${ips[@]}
do
  echo "iptables -I DOCKER -i ${nic} -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done

for ip in ${ips[@]}
do
  echo "iptables -I DOCKER -i ${nic} -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp  -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT

iptables -I DOCKER  -i ens33 -p tcp --dport 1:65535 -j DROP
iptables -I DOCKER  -i ens33 -p udp --dport 1:65535 -j DROP

iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT

iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT

# iptables -nvL --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       65  4692 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       37  2020 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       37  2020 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       16   856 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        4   240 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
5       17   924 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 31 packets, 2832 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  ens33  *       192.168.0.104        0.0.0.0/0            tcp dpts:1:65535
2        0     0 ACCEPT     tcp  --  ens33  *       127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
3        0     0 ACCEPT     tcp  --  ens33  *       192.168.0.104        0.0.0.0/0            tcp dpts:1:65535
4        0     0 ACCEPT     tcp  --  ens33  *       127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
5        0     0 DROP       udp  --  ens33  *       0.0.0.0/0            0.0.0.0/0            udp dpts:1:65535
6        0     0 DROP       tcp  --  ens33  *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:65535
7        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:15672
8        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5672

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       17   924 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       37  2020 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2       17   924 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       37  2020 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

// 容器内部跟外部通讯回包不受影响
#  docker exec -it   xxxxxx   bash

root@xxxxxx:/# echo  > /dev/tcp/www.baidu.com/443

客户端测试1: 192.168.0.104


image.png

客户端测试2: 192.168.0.107


image.png

策略2(基于DOCKER链,不指定网卡名)

# cat gen_iptables

#!/bin/bash

ips="
127.0.0.1
192.168.0.104
"

echo "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
echo "iptables -A INPUT -p tcp  -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT"


echo "iptables -I DOCKER  -p tcp --dport 1:65535 -j DROP"
echo "iptables -I DOCKER  -p udp --dport 1:65535 -j DROP"

for ip in ${ips[@]}
do
  echo "iptables -I DOCKER -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done

for ip in ${ips[@]}
do
  echo "iptables -I DOCKER -s ${ip} -p tcp --dport 1:65535 -j ACCEPT"
done

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp  -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j ACCEPT
iptables -I DOCKER  -i ens33 -p tcp --dport 1:65535 -j DROP
iptables -I DOCKER  -i ens33 -p udp --dport 1:65535 -j DROP
iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 127.0.0.1 -p tcp --dport 1:65535 -j ACCEPT
iptables -I DOCKER -i ens33 -s 192.168.0.104 -p tcp --dport 1:65535 -j ACCEPT
# iptables -nvL --line
Chain INPUT (policy ACCEPT 99 packets, 7722 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      167 11724 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       62  3459 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2       62  3459 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3       26  1393 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        9   540 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
5       27  1526 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 83 packets, 7888 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        2   120 ACCEPT     tcp  --  *      *       192.168.0.104        0.0.0.0/0            tcp dpts:1:65535
2        0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
3        0     0 ACCEPT     tcp  --  *      *       192.168.0.104        0.0.0.0/0            tcp dpts:1:65535
4        0     0 ACCEPT     tcp  --  *      *       127.0.0.1            0.0.0.0/0            tcp dpts:1:65535
5        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:1:65535
6        3   180 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:1:65535
7        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:15672
8        2   120 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:5672

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       27  1526 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
2       62  3459 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
2       27  1526 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       62  3459 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

// 容器内部跟外部通讯回包不受影响
#  docker exec -it   xxxxxx   bash

root@xxxxxx:/# echo  > /dev/tcp/www.baidu.com/443

客户端测试1: 192.168.0.104


image.png

客户端测试2: 192.168.0.107


image.png

参考

浅谈容器网络原理
https://mp.weixin.qq.com/s/vn1F783aNFFX1LGHhFYJDQ

聊聊 Docker 容器网络和 IPtables 间的亲密关系
https://mp.weixin.qq.com/s/Spl9h3ajdO2bn8LhAMo3Ag

docker 映射出来的端口如何写 iptables 规则
https://mp.weixin.qq.com/s/AC0dWjewU_Dam7wSOKeOhQ

相关文章

网友评论

      本文标题:【iptables】如果用iptables限制docker容器映

      本文链接:https://www.haomeiwen.com/subject/pwjetjtx.html