Cấu hình Iptables với Docker Container
Cấu hình Iptables với Docker Container
Để hiểu cách thức hoạt động của Iptables các bạn có thể đọc hướng dẫn link:
https://fixloinhanh.com/tim-hieu-iptables/
1./ Ví dụ: Restrict connections to the Docker host
By default, all external source IPs are allowed to connect to the Docker host. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER-USER filter chain. For example, the following rule restricts external access from all IP addresses except 192.168.1.1:
iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP
Please note that you will need to change ext_if to correspond with your host’s actual external interface. You could instead allow connections from a source subnet. The following rule only allows access from the subnet 192.168.1.0/24:
iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
Finally, you can specify a range of IP addresses to accept using --src-range (Remember to also add -m iprange when using --src-range or --dst-range):
iptables -I DOCKER-USER -m iprange -i ext_if ! --src-range 192.168.1.1-192.168.1.3 -j DROP
You can combine -s or --src-range with -d or --dst-range to control both the source and destination. For instance, if the Docker daemon listens on both 192.168.1.99 and 10.1.2.3, you can make rules specific to 10.1.2.3 and leave 192.168.1.99 open.
iptables is complicated and more complicated rules are out of scope for this topic. See the Netfilter.org HOWTO for a lot more information.
2./ Ví dụ 2: Docker on a router
Docker also sets the policy for the FORWARD chain to DROP. If your Docker host also acts as a router, this will result in that router not forwarding any traffic anymore. If you want your system to continue functioning as a router, you can add explicit ACCEPT rules to the DOCKER-USER chain to allow it:
$ iptables -I DOCKER-USER -i src_if -o dst_if -j ACCEPT
ví dụ khác với các chain cho container
# FORWARD chain
-A FORWARD -o br-b8e25922a2fa xxx
-A FORWARD -o docker0 xxx# DOCKER's chains
-A DOCKER xxx
-A DOCKER-ISOLATION-STAGE-1 xxx
-A DOCKER-ISOLATION-STAGE-2 xxx
-A DOCKER -d 172.18.0.2/32 xxx# NAT
-A POSTROUTING -s -s 172.18.0.2/32 xxx
3./ Ví dụ: Allow range IP 172.16.0.0/26 kết nối đến port 443 state connection tcp new
iptables -A INPUT -p tcp --dport 443 -s 172.16.0.0/26 -m state --state NEW,ESTABLISHED
Tất nhiên là cần 1 Rule deny all đặt ở cuối cùng
iptables -A INPUT -j DROP
Với docker container
iptables -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp — dport 443 -j ACCEPT
4./ Chặn mọi kết nối ngoại trừ local đến 1 cổng trên container.
chặn mọi kết nối từ bên ngoài đến cổng 9272 giao thức tcp.
-I DOCKER-USER -i ens160 ! -s 127.0.0.1 -p tcp --dport 9272 -j DROP
Lưu ý: Interface bị chặn là Interface vật lý.
5./ Tham khảo
https://fixloinhanh.com
https://docs.docker.com/network/iptables/
https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45
https://medium.com/swlh/manage-iptables-firewall-for-docker-kubernetes-daa5870aca4d
https://www.jeffgeerling.com/blog/2020/be-careful-docker-might-be-exposing-ports-world