是否可以将docker端口暴露给特定接口 [英] Is it possible to expose docker ports to a specific interface

问题描述

我的服务器有两个网络接口eth0和wlan0，一个连接到Internet，另一个连接到内部网络。将带有docker-compose的Docker容器端口公开到特定接口的当前解决方案是使用：

My server has two network interfaces, eth0 and wlan0, one connected to the internet and the other to an internal network. The current solution of exposing Docker container ports with docker-compose to a specific interface is to use:

version: '2'

services:
  mosquitto:
    ports:
      - "192.168.0.1:1883:1883"

这使得它很脆弱，因为IP地址是通过DHCP分配的。使用了多个设备，其中每个设备可能具有不同的IP地址。因此，是否可以仅将端口公开给特定接口？此外，所有内容都在 Resin.io 上运行，从而限制了iptables和co的配置。

This makes it brittle since the IP addresses are distributed via DHCP. Several devices are used, of which each may have a different IP address. Therefore, is it possible to expose ports to only a specific interface? In addition, everything runs on Resin.io, limiting the configuration of iptables and co.

推荐答案

您可以这样处理两个阻止者之一：

You can address either of the two blockers mentioned as such:

关于动态DHCP IP，您可以按照此resin.io指南来设置静态IP： https://docs.resin.io/reference/resinOS/network/2.x/#setting-a-static-ip 。设置静态ip后，您应该可以在端口配置中使用它。

With regards to the dynamic DHCP IPs, you can follow this resin.io guide about setting up static IPs: https://docs.resin.io/reference/resinOS/network/2.x/#setting-a-static-ip. After setting up a static ip, you should be able to use it in the ports configuration.

另一个选择是在 mosquitto 应用程序容器中使用iptables。这可以通过以下方式实现：

Another option is to use iptables, within your mosquitto application container. This can be achieved by:

a）设置 network_mode：host 和 privileged： mosquitto服务的真实设置

b）安装 iptables 作为< Dockerp中的code> RUN 指令（例如 RUN apt-get update&& apt-get install iptables ）

b) installing iptables as part of a RUN instruction in your Dockerfile (e.g. RUN apt-get update && apt-get install iptables)

c）配置iptables（例如 iptables -A INPUT -i eth0 -p tcp --destination-port 1883 -j DROP 在 wlan0 接口上断开与端口1883的连接）

c) configuring iptables (e.g. iptables -A INPUT -i eth0 -p tcp --destination-port 1883 -j DROP to drop connections to port 1883 on the wlan0 interface)

作为一个提示，我鼓励您看看我们的社区论坛（ https://forums.resin.io ）了解任何resin.io您可能有的问题。我们的用户群在那里非常活跃，并且可能会有更多的人对您有类似的问题或有用的建议。

As a side-note, I'd encourage you to have a look at our community forum (https://forums.resin.io) for any resin.io questions you might have. Our user base is pretty active there and chances are that more people will have a similar question or helpful suggestions for you.

谢谢！

这篇关于是否可以将docker端口暴露给特定接口的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！