如何通过iptables阻止从外部互联网访问docker容器端口? Ubuntu 18 我有远程服务器,在服务器Docker容器中,我可以使用$ MY_SERVER_IP:$ docker_container_port访问该Docker容器。 如何禁用从Internet对该容器的访问,仅允许该服务器内的本地呼叫?
这是iptables -L -n
的输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- !142.93.231.42 0.0.0.0/0 tcp dpt:4467 reject-with icmp-port-unreachable
REJECT tcp -- !127.0.0.1 0.0.0.0/0 tcp dpt:4467 reject-with icmp-port-unreachable
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
Chain DOCKER (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 172.18.0.3 tcp dpt:4466
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4467
DROP all -- 0.0.0.0/0 0.0.0.0/0
答案 0 :(得分:0)
iptables -D DOCKER-USER -j RETURN
iptables -A DOCKER-USER -j DROP
iptables -I DOCKER-USER -s 10.0.0.0/8 -j RETURN
iptables -I DOCKER-USER -s 172.16.0.0/12 -j RETURN
iptables -I DOCKER-USER -s 192.168.0.0/16 -j RETURN
iptables -I DOCKER-USER -s xxx.xxx.xxx.xxx -j RETURN