仅从特定IP地址限制Docker公开端口 [英] Restrict Docker exposed port from only specific IP adresses

问题描述

如何仅从IP列表中限制Docker公开的容器端口?只有此IP列表才能访问此端口.

How to restrict a container's port exposed by Docker from only a list of IPs? Only this list of IP would be able to access this port.

我尝试过:

iptables -I DOCKER -p tcp --dport PORT_X -j REJECT --reject-with icmp-port-unreachable
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_1 --destination HOST_IP_1 -j ACCEPT
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_2 --destination HOST_IP_1 -j ACCEPT
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_3 --destination HOST_IP_1 -j ACCEPT

推荐答案

我遇到了同样的问题.我用此规则解决了这个问题:

I had the same problem. I solved it with this rules :

iptables -I DOCKER-USER -i <your_interface_name> -j DROP
iptables -I DOCKER-USER -i <your_interface_name> -s <your_first_ip> -j ACCEPT
iptables -I DOCKER-USER -i <your_interface_name> -s <your_second_ip> -j ACCEPT

护理，DOCKER-USER是一条链，在service docker restart

您应该能够添加端口标志，但是我不是专家，这也不是我的需要.

You should be able to add your port flag, but i'm not an expert and it is not my needs.

这篇关于仅从特定IP地址限制Docker公开端口的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！