如何防止docker容器内的代码访问网络?

时间:2014-09-01 17:30:06

标签: security docker iptables

我需要阻止我的docker容器访问外部世界。这意味着容器不应该执行wget http://www.google.com

之类的操作

之前我通过添加iptables规则使用instructions from Jérôme Petazzoni,例如:

-A FORWARD -s 10.0.3.0/24 -j DROP

这似乎不再起作用了。也许我不知道如何找到适用于docker / lxc的IP。我正在使用lxc驱动程序运行 docker 1.1.2。

可能对某些人有用的一种方法是使用--net="none"。但是,这对我不起作用,因为我仍然需要eth0适配器和容器中的关联HWaddr。

我目前的iptables是:

*mangle
:PREROUTING ACCEPT [12966683:10182972515]
:INPUT ACCEPT [12966640:10182952166]
:FORWARD ACCEPT [42:20285]
:OUTPUT ACCEPT [12323852:11636850769]
:POSTROUTING ACCEPT [12323894:11636871054]
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Sep  1 13:11:46 2014
# Generated by iptables-save v1.4.21 on Mon Sep  1 13:11:46 2014
*nat
:PREROUTING ACCEPT [5:300]
:INPUT ACCEPT [114:6824]
:OUTPUT ACCEPT [19:1152]
:POSTROUTING ACCEPT [19:1152]
:DOCKER - [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Sep  1 13:11:46 2014
# Generated by iptables-save v1.4.21 on Mon Sep  1 13:11:46 2014
*filter
:INPUT ACCEPT [714:163415]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [712:338517]
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -s 172.17.0.0/16 -j DROP
-A FORWARD -s 10.0.3.0/24 -j DROP
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 172.17.42.1/32 -j DROP
-A FORWARD -s 10.0.3.1/32 -j DROP
COMMIT

我看到这些docker0和lxcbr0适配器使用ifconfig:

docker0   Link encap:Ethernet  HWaddr 56:84:7a:fe:97:99
          inet addr:172.17.42.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:43273 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3061463 (3.0 MB)  TX bytes:197800 (197.8 KB)

lxcbr0    Link encap:Ethernet  HWaddr 26:e3:8d:6d:45:26
          inet addr:10.0.3.1  Bcast:10.0.3.255  Mask:255.255.255.0
          inet6 addr: fe80::24e3:8dff:fe6d:4526/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)

0 个答案:

没有答案