禁止从docker容器访问LAN [英] Disable access to LAN from docker container
问题描述
$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
- P OUTPUT ACCEPT
-A FORWARD -d 172.17.0.2/32! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate相关,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
$ sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16! -o docker0 -j MASQUERADE
-A DOCKER! -i docker0 -p tcp -m tcp --dport 443 -j DNAT - 目的地172.17.0.2:443
如果我需要提供额外的信息,请让我知道
一个选项是运行docker with - icc = false
,防止任何容器与主机或其他容器通信,然后可以通过将容器与 --link = container_name:别名
。
您还可以使用iptables来执行以下规则:
iptables -A INPUT -i docker0 -d 192.168.0.0/16 -j DROP
请记住,主机不会看到由icmp错误返回的丢包,所以在大多数情况下,REJECT可能更合适。
编辑:修改规则以阻止转发给其他主机:
iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -j DROP
I am running Gentoo host with Ubuntu container in Docker. They communicate via bridge automatically created by Docker. I would like to drop all traffic for 192.168.0.0/16 that may come out of container.
$sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
$sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443
Please let me know if I need to provide extra information
One option would be to run docker with --icc=false
, preventing any container to communicate with the host or with other containers, you could then let containers communicate with each other by linking them with --link=container_name:alias
.
You could also operate with iptables with a rule like:
iptables -A INPUT -i docker0 -d 192.168.0.0/16 -j DROP
keep in mind that a host doesn't see dropped packet coming back by icmp error, so maybe REJECT is more appropriate in most cases.
edit: correcting the rule to block the forward to other hosts:
iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -j DROP
这篇关于禁止从docker容器访问LAN的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!