我遇到了一个问题,即在Docker容器中运行在我们系统上的应用程序暴露的端口仍然对全世界开放,尽pipeiptablesconfiguration旨在限制访问。
在我看来,这个问题可能与docker守护进程在启动时向iptables添加规则有关。 我也意识到--icc=true|false , --ip-forward=true|false --icc=true|false --ip-forward=true|false和--iptables=true|false但我不确定这些标志的组合应该应用。 我试过--icc=false和--icc=false --ip-forward=false但都没有达到预期的效果。 我--iptables=false使用--iptables=false因为--iptables=false守护进程明确地添加了许多规则,如果仍然需要,我必须手动进行configuration。
这是docker守护进程启动之前的规则状态:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 REJECT all -- !lo any anywhere loopback/8 reject-with icmp-port-unreachable 0 0 DROP tcp -- any any anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW 0 0 DROP all -f any any anywhere anywhere 0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE 82 8831 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports ssh 0 0 ACCEPT tcp -- any any <IP ADDRESS RANGE 1> anywhere multiport dports ssh,http,https,7990,7999,tproxy,8090,8095,18080 0 0 ACCEPT tcp -- any any <IP ADDRESS RANGE 2> anywhere multiport dports ssh,http,https,7990,7999,tproxy,8090,8095,18080 0 0 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 24 2489 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 77 10080 ACCEPT all -- any any anywhere anywhere
这就是docker守护进程运行的情况:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo any anywhere anywhere 0 0 REJECT all -- !lo any anywhere loopback/8 reject-with icmp-port-unreachable 0 0 DROP tcp -- any any anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW 0 0 DROP all -f any any anywhere anywhere 0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 0 0 DROP tcp -- any any anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE 1335 230K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 1 32 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 7 380 ACCEPT tcp -- any any anywhere anywhere multiport dports ssh 0 0 ACCEPT tcp -- any any <IP ADDRESS RANGE 1> anywhere multiport dports ssh,http,https,7990,7999,tproxy,8090,8095,18080 0 0 ACCEPT tcp -- any any <IP ADDRESS RANGE 2> anywhere multiport dports ssh,http,https,7990,7999,tproxy,8090,8095,18080 35 2016 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " 62 3672 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 54492 21M DOCKER all -- any docker0 anywhere anywhere 51882 20M ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED 58371 9122K ACCEPT all -- docker0 !docker0 anywhere anywhere 0 0 DROP all -- docker0 docker0 anywhere anywhere 1186 121K REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2090 263K ACCEPT all -- any any anywhere anywhere Chain DOCKER (1 references) pkts bytes target prot opt in out source destination 86 7048 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:7990 1639 395K ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:7999 791 151K ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.3 tcp dpt:http-alt 20 1898 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.4 tcp dpt:8090 49 4561 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.5 tcp dpt:18080 25 3642 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.6 tcp dpt:8095
还有一些POSTROUTING&MASQUERADE规则,只有当你使用iptables-save时候,这些规则才会显示在iptables -L 。 我也不确定这些的重要性。
我怀疑在FORWARD链中的DOCKER目标规则是问题的根源,但我不明白如何解决这个问题,因为它似乎是由docker守护进程插入链的开始。
那么,有谁能告诉我,我需要做些什么来确保端口7990,8090等在运行docker时不会暴露在世上?
谢谢
理查德
DOCKER链是在FORWARD链中定义的自定义链。 当数据包碰到any接口并绑定到docker0网桥接口时,它将被发送到自定义的DOCKER链。
pkts字节目标人选退出源目的地 54492 21M DOCKER全部 - 任何地方的任何docker0
现在,DOCKER链会将除了来自docker0的数据包之外的所有数据包都发送到一个容器IP(172.xxx)和端口,在这里是7990。
pkts字节目标人选退出源目的地
86 7048 ACCEPT tcp - !docker0 docker0 any 172.17.0.2 tcp dpt:7990
如果您要发布iptables -t nat -L -n的输出,您将看到主机进行容器端口转发的DNAT规则,例如,打到49154上的主机接口的数据包将被端口转发到容器IP 172.17.0.2和港口7990。
DNAT tcp - 0.0.0.0/0 0.0.0.0/0 tcp dpt:49154至:172.17.0.2:7990
例如,可以通过将任何0.0.0.0的源IP限制为仅允许来自内部networking的数据包来阻止数据包击中容器。 只允许从192.168.1.0/24的内部networking连接到7990的容器端口,可以运行以下命令 –
/ sbin / iptables -I FORWARD'!' -s 192.168.1.0/24 -d 172.17.0.2 -p tcp --dport 7990 -j DROP
这将阻止将任何数据包转发到指定IP:端口的容器,除非它们来自内部networking。 您可以根据您的设置修改源/目标IP和端口。
所以,这将是一个评论,但没有stree .. serverfault代表它。
你有没有尝试过这里发布的解决scheme: http : //blog.viktorpetersson.com/post/101707677489/the-dangers-of-ufw-docker
使用这个标志--iptables=false像这样DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false" ?