Saya memiliki wadah docker yang berjalan seperti:
docker run --name some_container_1 -p 8080:80 -d some_image
Yang bekerja dengan baik. Wadah mengekspos port 80 hingga 8080 dan dapat diakses dari localhost.
Namun untuk beberapa alasan itu mengabaikan aturan iptables INPUT sepenuhnya dan juga dapat diakses dari luar.
Bagaimana Saya bisa membatasi akses ke wadah Docker saya untuk hanya mengizinkan yaitu IP 123.456.789.0 untuk mengaksesnya dari eksternal?
Terima kasih.
sudo iptables-L-n-v -- nomor baris
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2 365 23380 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:224 7 788 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "5 7 788 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination 1 24 1524 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 2 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED3 15 13320 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 204 packets, 21792 bytes)num pkts bytes target prot opt in out source destination Chain DOCKER (1 references)num pkts bytes target prot opt in out source destination 1 24 1524 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:80
sudo iptables-Simpan
# Generated by iptables-save v1.4.21 on Wed Apr 8 23:37:43 2015*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [100:16642]:DOCKER - [0:0]-A INPUT -i lo -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7-A INPUT -j DROP-A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPT-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPTCOMMIT# Completed on Wed Apr 8 23:37:43 2015# Generated by iptables-save v1.4.21 on Wed Apr 8 23:37:43 2015*nat:PREROUTING ACCEPT [13:2206]:INPUT ACCEPT [1:64]:OUTPUT ACCEPT [4:268]:POSTROUTING ACCEPT [4:268]:DOCKER - [0:0]-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80COMMIT# Completed on Wed Apr 8 23:37:43 2015
docker info
Containers: 1Images: 25Storage Driver: aufs Root Dir: /var/lib/docker/aufs Backing Filesystem: extfs Dirs: 27Execution Driver: native-0.2Kernel Version: 3.16.0-4-amd64Operating System: Debian GNU/Linux 8 (jessie)CPUs: 4Total Memory: 7.746 GiBName: nuc-001ID: WCMU:MN3T:VFKR:IU42:6423:OEI6:IB5Q:WBNV:K75H:JZDS:UWU5:57WDWARNING: No memory limit supportWARNING: No swap limit support