如何防止docker容器内的代码访问networking?
我需要阻止我的docker集装箱访问外部世界。 这意味着容器不应该像wget http://www.google.com那样做
以前,我使用JérômePetazzoni的指令 ,joiniptables规则,例如:
-A FORWARD -s 10.0.3.0/24 -j DROP
这似乎不再工作。 也许我不知道如何find用于docker / lxc的正确IP。 我使用lxc驱动程序运行docker 1.1.2 。
一种可能适用于某些方法的方法是使用--net="none" 。 但是,这不适合我,因为我仍然需要在我的容器中的eth0适配器和关联的HWaddr。
我目前的iptables是:
*mangle :PREROUTING ACCEPT [12966683:10182972515] :INPUT ACCEPT [12966640:10182952166] :FORWARD ACCEPT [42:20285] :OUTPUT ACCEPT [12323852:11636850769] :POSTROUTING ACCEPT [12323894:11636871054] -A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Mon Sep 1 13:11:46 2014 # Generated by iptables-save v1.4.21 on Mon Sep 1 13:11:46 2014 *nat :PREROUTING ACCEPT [5:300] :INPUT ACCEPT [114:6824] :OUTPUT ACCEPT [19:1152] :POSTROUTING ACCEPT [19:1152] :DOCKER - [0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE -A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE COMMIT # Completed on Mon Sep 1 13:11:46 2014 # Generated by iptables-save v1.4.21 on Mon Sep 1 13:11:46 2014 *filter :INPUT ACCEPT [714:163415] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [712:338517] -A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o lxcbr0 -j ACCEPT -A FORWARD -i lxcbr0 -j ACCEPT -A FORWARD -s 172.17.0.0/16 -j DROP -A FORWARD -s 10.0.3.0/24 -j DROP -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -s 172.17.42.1/32 -j DROP -A FORWARD -s 10.0.3.1/32 -j DROP COMMIT
我用ifconfig来看这些docker0和lxcbr0适配器:
docker0 Link encap:Ethernet HWaddr 56:84:7a:fe:97:99 inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:43273 errors:0 dropped:0 overruns:0 frame:0 TX packets:79 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3061463 (3.0 MB) TX bytes:197800 (197.8 KB) lxcbr0 Link encap:Ethernet HWaddr 26:e3:8d:6d:45:26 inet addr:10.0.3.1 Bcast:10.0.3.255 Mask:255.255.255.0 inet6 addr: fe80::24e3:8dff:fe6d:4526/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)