阻止外部访问Docker容器 [英] Block external access to docker containers
问题描述
我想阻止从外部直接访问docker容器。我使用haproxy,并且只允许访问端口80、443。
I would like to block direct access to the docker containers from outside. I use a haproxy and want to only allow access to port 80, 443.
我向iptables添加了以下规则。但是我仍然可以通过不同的端口访问Docker容器。
I added the following rule to iptables. But I still can access docker containers through different ports.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT
这可能是由于DOCKER链造成的
This probably due to the DOCKER chain
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
我需要创建什么规则来阻止直接访问?
What rules would I need to create to block direct access?
推荐答案
您可以使用 docker network create NETWORK
命令创建IP地址,而不是使用IP表来创建网络,以将您的应用程序与代理连接起来。另外,请勿在任何端口上公开应用。您应该公开的唯一容器是代理。然后,您可以从代理内使用容器名称作为主机名路由通信。
Rather than doing this with IP tables you could use the docker network create NETWORK
command to create a network to connect your apps to as well as your proxy. Also don't expose the apps on any ports. The only container you should expose is your proxy. From within the proxy you can then route traffic using the container name as a hostname. Each container on the same network can be reached by other containers.
例如,如果
- 我有一个名称为
my-service
的容器A,并且该服务在端口3000上运行,并且没有向主机发布任何端口 - 容器B,它是在端口80上运行的代理,已发布到主机。我的代理服务器可以将请求传递到 http:// my-service:3000 ,并将流量路由到容器。
- 如果我尝试转到 http:// mydomain:3000 ,由于未公开端口,因此只能通过端口80上的代理访问应用程序。
- I have container A which has a name of
my-service
and a service running on port 3000 and no ports published to the host - Container B which is a proxy running on port 80 published to the host. My proxy can pass requests to http://my-service:3000 and it will route traffic to the container.
- If I try to go to http://mydomain:3000 this wont work as ports have not been exposed and the only way to reach the app is via the proxy on port 80
阅读 https://docs.docker.com/engine/ userguide / networking / work-with-networks / ,因为这说明了如何开始使用网络。
I'd suggest taking a read of https://docs.docker.com/engine/userguide/networking/work-with-networks/ as this explains how to get started with networking.
全面披露:我使用这种方式在我的个人VPS上设置,并且无法直接通过端口访问我的容器。使用内置的docker网络可能比弄乱IP表更有趣
希望这很有用。
Dylan
我已经概括了该过程,因为我不知道具体细节有关代理,网络限制等方面的设置。由于上面的链接覆盖的范围比我要好,因此我也没有进入特定的命令。
I have generalised the process as I do not know the specifics of your setup with regards to proxies, network restrictions etc. I have also not gone into specific commands as the link above covers it better than I would.
这篇关于阻止外部访问Docker容器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!