我在不同的容器中有几个Web服务,并且将每个服务器的80个端口重定向到主机服务器上的另一个端口。 (容器1 80-> 8003,容器2 80-> 8004,容器3 80-> 8005)我想阻止访问这些端口,但预配置的IP列表除外
我已经将iptables规则添加到“docker-user”链中,如下所示;
-A INPUT -s 212.154.74.194/32 -p tcp -j ACCEPT //accept all from this ip
-A INPUT -s 185.22.208.0/25 -p tcp -j ACCEPT //accept all from this ip
-A INPUT -p tcp -m tcp --dport 8003 -j DROP //block anyone except allowed ips
-A INPUT -p tcp -m tcp --dport 8004 -j DROP //block anyone except allowed ips
-A INPUT -p tcp -m tcp --dport 8005 -j DROP //block anyone except allowed ips
但这是行不通的。路由端口仍然可以从外部访问。我不知道我做错了什么。如何阻止访问路由端口?
最佳答案
好像From docker docs相当详尽地回答了您的问题:
By default, all external source IPs are allowed to connect to the Docker daemon. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, the following rule restricts external access to all IP addresses except 192.168.1.1:
$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP
要允许特定子网:
iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
奖励:您还可以完全限制与localhost的连接:
docker run -p 127.0.0.1:80:8003
应该自动限制对localhost的访问。或者使用docker compose:
webapp:
image: image_name
ports:
- "127.0.0.1:80:8003"
关于docker - 如何防止重定向的docker端口向外界开放?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55238809/