阻止外部访问Docker容器 [英] Block external access to docker containers

问题描述

我想阻止从外部直接访问docker容器。我使用haproxy，并且只允许访问端口80、443。

I would like to block direct access to the docker containers from outside. I use a haproxy and want to only allow access to port 80, 443.

我向iptables添加了以下规则。但是我仍然可以通过不同的端口访问Docker容器。

I added the following rule to iptables. But I still can access docker containers through different ports.

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
COMMIT

这可能是由于DOCKER链造成的

This probably due to the DOCKER chain

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:http

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

我需要创建什么规则来阻止直接访问？

What rules would I need to create to block direct access?

推荐答案

您可以使用 docker network create NETWORK 命令创建IP地址，而不是使用IP表来创建网络，以将您的应用程序与代理连接起来。另外，请勿在任何端口上公开应用。您应该公开的唯一容器是代理。然后，您可以从代理内使用容器名称作为主机名路由通信。

Rather than doing this with IP tables you could use the docker network create NETWORK command to create a network to connect your apps to as well as your proxy. Also don't expose the apps on any ports. The only container you should expose is your proxy. From within the proxy you can then route traffic using the container name as a hostname. Each container on the same network can be reached by other containers.

例如，如果

• 我有一个名称为 my-service 的容器A，并且该服务在端口3000上运行，并且没有向主机发布任何端口


• 容器B，它是在端口80上运行的代理，已发布到主机。我的代理服务器可以将请求传递到 http：// my-service：3000 ，并将流量路由到容器。


• 如果我尝试转到 http：// mydomain：3000 ，由于未公开端口，因此只能通过端口80上的代理访问应用程序。

• I have container A which has a name of my-service and a service running on port 3000 and no ports published to the host
• Container B which is a proxy running on port 80 published to the host. My proxy can pass requests to http://my-service:3000 and it will route traffic to the container.
• If I try to go to http://mydomain:3000 this wont work as ports have not been exposed and the only way to reach the app is via the proxy on port 80

阅读 https://docs.docker.com/engine/ userguide / networking / work-with-networks / ，因为这说明了如何开始使用网络。

I'd suggest taking a read of https://docs.docker.com/engine/userguide/networking/work-with-networks/ as this explains how to get started with networking.

全面披露：我使用这种方式在我的个人VPS上设置，并且无法直接通过端口访问我的容器。使用内置的docker网络可能比弄乱IP表更有趣

希望这很有用。

Dylan

我已经概括了该过程，因为我不知道具体细节有关代理，网络限制等方面的设置。由于上面的链接覆盖的范围比我要好，因此我也没有进入特定的命令。

I have generalised the process as I do not know the specifics of your setup with regards to proxies, network restrictions etc. I have also not gone into specific commands as the link above covers it better than I would.

这篇关于阻止外部访问Docker容器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！