阻止对泊坞窗容器的外部访问
我想阻止从外面直接进入docker集装箱。 我使用haproxy,只想访问端口80,443。
我向iptables添加了以下规则。 但我仍然可以通过不同的端口访问docker容器。
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT COMMIT
这可能是由于DOCKER链
# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-ISOLATION all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (4 references) target prot opt source destination ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http Chain DOCKER-ISOLATION (1 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere
我需要创build什么规则来阻止直接访问?
而不是这样做的IP表,你可以使用docker network create NETWORK
命令来创build一个networking来连接你的应用程序以及你的代理。 也不要在任何端口上暴露应用程序。 您应该公开的唯一容器是您的代理。 从代理内部,您可以使用容器名称作为主机名来发送stream量。 其他容器可以到达同一networking上的每个容器。
例如,如果
- 我有容器A,它具有
my-service
的名称和在端口3000上运行的服务,并且没有端口发布到主机 - 容器B是在主机上发布的端口80上运行的代理。 我的代理可以将请求传递给http:// my-service:3000 ,并将stream量路由到容器。
- 如果我尝试去http:// mydomain:3000这不会工作,因为端口没有被暴露,到达应用程序的唯一方法是通过端口80上的代理
完全披露:我在我的个人VPS上运行这种设置,不能通过端口直接访问我的容器。 使用内置的dockernetworking可能会发挥比你的IP桌子搞乱更好
希望这是有用的。
迪伦
编辑
我已经概括了这个过程,因为我不知道关于代理,networking限制等设置的具体情况。我也没有进入具体的命令,因为上面的链接比我更好地覆盖它。