运行时,我能够将容器端口转发到全局主机IP:
docker run -p IP:5000:5000 container_name
或在docker-compose中:
ports:
- "5000:5000"`
但是,以下内容将打开主机的端口以访问所有外部IP地址。如何使该端口可供IP地址为X且没有其他IP地址的一台主机A访问?
答案 0 :(得分:0)
您不能将此操作作为配置选项。您可以创建一个脚本,该脚本将用作您的 ENTRYPOINT ,并在运行应用程序之前作为该脚本设置入站规则的一部分。
自定义Entrypoint脚本内部的示例流程:
这样做,来自不需要的IP的所有连接/请求都将被丢弃。
您可以在这里找到一个很好的示例:https://dev.to/andre/docker-restricting-in--and-outbound-network-traffic-67p
希望有帮助!
答案 1 :(得分:0)
以下几行可以限制对Docker容器上打开的端口的访问:
iptables -I DOCKER ! -s IP_ADDRESS -j DROP
参考:
Docker IP表操作:
答案 2 :(得分:0)
查看文档:指定格式时,您还可以提及要绑定到的IP地址。 (默认为绑定所有IP地址0.0.0.0)
EXPOSE (incoming ports)
The following run command options work with container networking:
--expose=[]: Expose a port or a range of ports inside the container.
These are additional to those exposed by the `EXPOSE` instruction
-P : Publish all exposed ports to the host interfaces
-p=[] : Publish a container᾿s port or a range of ports to the host
format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort | containerPort
Both hostPort and containerPort can be specified as a
range of ports. When specifying ranges for both, the
number of container ports in the range must match the
number of host ports in the range, for example:
-p 1234-1236:1234-1236/tcp
When specifying a range for hostPort only, the
containerPort must not be a range. In this case the
container port is published somewhere within the
specified hostPort range. (e.g., `-p 1234-1236:1234/tcp`)
(use 'docker port' to see the actual mapping)
--link="" : Add link to another container (<name or id>:alias or <name or id>)
参考:https://docs.docker.com/engine/reference/run/#expose-incoming-ports