我要评论1. 需求
需求:
iptables增加策略,允许指定主机访问本机的指定端口,但是该端口是docker容器提供的服务。
2. 分析
不想了解原理,直接操作的可以跳过本节
2.1 缘起
- 如果不是docker,我们可以这样写:
iptables -i input -p tcp --dport 80 -j drop iptables -i input -s 10.10.181.198 -p tcp --dport 80 -j accept
- 但是docker建立了自己的iptables规则,将绕过filter表的input链,接下来我们分析docker的iptables规则:
2.2 docker的iptables规则
- 但是对于docker,访问则绕过了filter表的input链
- 而是通
注意:但是本机访问docker服务或容器间互访,依然通过的是filter表的input链
1)nat表
查看iptables的nat表,内容如下:
[root@liubei-test nginx01]# iptables -t nat -l chain prerouting (policy accept) target prot opt source destination docker all -- anywhere anywhere addrtype match dst-type local chain input (policy accept) target prot opt source destination chain output (policy accept) target prot opt source destination docker all -- anywhere !loopback/8 addrtype match dst-type local chain postrouting (policy accept) target prot opt source destination masquerade all -- 172.17.0.0/16 anywhere masquerade all -- 172.20.0.0/16 anywhere masquerade all -- 172.19.0.0/16 anywhere masquerade all -- 172.29.0.0/16 anywhere masquerade all -- 192.168.176.0/20 anywhere masquerade tcp -- 192.168.176.2 192.168.176.2 tcp dpt:netopia-vo2 masquerade tcp -- 172.29.0.2 172.29.0.2 tcp dpt:20090 masquerade tcp -- 172.29.0.2 172.29.0.2 tcp dpt:10090 masquerade tcp -- 172.29.0.2 172.29.0.2 tcp dpt:lrp masquerade tcp -- 172.20.0.2 172.20.0.2 tcp dpt:http masquerade tcp -- 172.19.0.2 172.19.0.2 tcp dpt:http chain docker (2 references) target prot opt source destination return all -- anywhere anywhere return all -- anywhere anywhere return all -- anywhere anywhere dnat tcp -- anywhere anywhere tcp dpt:http to:172.20.0.2:80
1.chain prerouting 将请求转发到docker链处理:
docker all -- anywhere anywhere addrtype match dst-type local
addrtype:iptables的一个扩展模块,用于根据地址类型进行匹配。dst-type local:表示目标地址必须是本地地址
2.chain docker 修改了目标地址:
dnat tcp -- anywhere anywhere tcp dpt:http to:172.20.0.2:80
2)filter表
[root@liubei-test src]# iptables -l chain input (policy accept) target prot opt source destination accept tcp -- 10.10.87.18 anywhere tcp dpt:2375 drop tcp -- anywhere anywhere tcp dpt:2375 chain forward (policy drop) target prot opt source destination docker-user all -- anywhere anywhere docker-isolation-stage-1 all -- anywhere anywhere accept all -- anywhere anywhere ctstate related,established docker all -- anywhere anywhere accept all -- anywhere anywhere accept all -- anywhere anywhere accept all -- anywhere anywhere ctstate related,established docker all -- anywhere anywhere accept all -- anywhere anywhere accept all -- anywhere anywhere accept all -- anywhere anywhere ctstate related,established docker all -- anywhere anywhere accept all -- anywhere anywhere accept all -- anywhere anywhere accept all -- anywhere anywhere ctstate related,established docker all -- anywhere anywhere accept all -- anywhere anywhere accept all -- anywhere anywhere chain output (policy accept) target prot opt source destination chain docker (4 references) target prot opt source destination accept tcp -- anywhere 172.18.0.2 tcp dpt:http chain docker-isolation-stage-1 (1 references) target prot opt source destination docker-isolation-stage-2 all -- anywhere anywhere docker-isolation-stage-2 all -- anywhere anywhere return all -- anywhere anywhere chain docker-isolation-stage-2 (2 references) target prot opt source destination drop all -- anywhere anywhere drop all -- anywhere anywhere return all -- anywhere anywhere chain docker-user (1 references) target prot opt source destination return all -- anywhere anywhere
1.因为nat表修改了访问的目标地址,因此不再由filter表的input链处理,而是交给了filter表的forward链处理
2.forward链会将请求依次交给如下链处理
注意的是,iptables的规则是匹配到即跳出。
docker-user
- 作用:允许用户在此自定义规则
chain docker-isolation-stage-1
- 选择交给chain docker-isolation-stage-2 处理
- 作用:主要用于实现docker容器之间的网络隔离
docker
- docker自动创建的iptables规则
3. 操作
如上文,我们只需修改预留给我们的filter表的docker-user链即可
iptables -i docker-user -p tcp --dport 80 -j drop iptables -i docker-user -s 10.10.181.201 -p tcp --dport 80 -j accept
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持代码网。
发表评论