阻止外部访问Docker容器

  • Z时代
  • 2024-01-10
  • 分类:问答

我想阻止从外部直接访问docker容器。我使用haproxy,并且只希望访问端口80、443。

我在iptables中添加了以下规则。但是我仍然可以通过不同的端口访问Docker容器。

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT

这可能是由于DOCKER链

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain DOCKER (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:http
Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

我需要创建什么规则来阻止直接访问?

回答:

您可以使用docker network create

NETWORK命令创建一个网络来连接应用程序和代理,而不必使用IP表来执行此操作。另外,请勿在任何端口上公开应用程序。您应该公开的唯一容器是代理。然后,您可以从代理内使用容器名称作为主机名路由通信。其他容器可以访问同一网络上的每个容器。

例如,如果

  • 我有一个名称为的容器A,my-service并且在端口3000上运行了服务,并且

  • 容器B是运行在端口80上的代理, 。我的代理可以将请求传递到http:// my-service:3000,它将流量路由到容器。

  • 如果我尝试转到http:// mydomain:3000,则该端口将无法工作,因为端口尚未公开,访问应用程序的唯一方法是通过端口80上的代理

我建议您阅读https://docs.docker.com/engine/userguide/networking/work-with-

networks/,因为这说明了如何开始使用网络。

希望这是有用的。

迪伦

回答:

由于不了解有关代理,网络限制等方面的设置细节,因此我对流程进行了概括。由于上面的链接比我更擅长于此,因此我也没有涉及特定的命令。

以上是 阻止外部访问Docker容器 的全部内容, 来源链接: utcz.com/qa/434024.html

回到顶部