1. 需求
- 需求:iptables增加策略,允许指定主机访问本机的指定端口,但是该端口是docker容器提供的服务。
2. 分析
不想了解原理,直接操作的可以跳过本节
2.1 缘起
- 如果不是docker,我们可以这样写:
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -s 10.10.181.198 -p tcp --dport 80 -j ACCEPT
- 但是docker建立了自己的iptables规则,将绕过filter表的INPUT链,接下来我们分析docker的iptables规则:
2.2 docker的iptables规则
- 但是对于docker,访问则绕过了filter表的INPUT链
- 而是通
注意:但是本机访问docker服务或容器间互访,依然通过的是filter表的INPUT链
1)nat表
查看iptables的nat表,内容如下:
[root@liubei-test nginx01]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.20.0.0/16 anywhere
MASQUERADE all -- 172.19.0.0/16 anywhere
MASQUERADE all -- 172.29.0.0/16 anywhere
MASQUERADE all -- 192.168.176.0/20 anywhere
MASQUERADE tcp -- 192.168.176.2 192.168.176.2 tcp dpt:netopia-vo2
MASQUERADE tcp -- 172.29.0.2 172.29.0.2 tcp dpt:20090
MASQUERADE tcp -- 172.29.0.2 172.29.0.2 tcp dpt:10090
MASQUERADE tcp -- 172.29.0.2 172.29.0.2 tcp dpt:lrp
MASQUERADE tcp -- 172.20.0.2 172.20.0.2 tcp dpt:http
MASQUERADE tcp -- 172.19.0.2 172.19.0.2 tcp dpt:http
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:http to:172.20.0.2:80
- Chain PREROUTING 将请求转发到DOCKER链处理:
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
- ADDRTYPE:iptables的一个扩展模块,用于根据地址类型进行匹配。
- dst-type LOCAL:表示目标地址必须是本地地址
- Chain DOCKER 修改了目标地址:
DNAT tcp -- anywhere anywhere tcp dpt:http to:172.20.0.2:80
2)filter表
[root@liubei-test src]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.10.87.18 anywhere tcp dpt:2375
DROP tcp -- anywhere anywhere tcp dpt:2375
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
- 因为nat表修改了访问的目标地址,因此不再由filter表的INPUT链处理,而是交给了filter表的FORWARD链处理
- FORWARD链会将请求依次交给如下链处理
- DOCKER-USER
- 作用:
允许用户在此自定义规则
- 作用:
- Chain DOCKER-ISOLATION-STAGE-1
- 选择交给Chain DOCKER-ISOLATION-STAGE-2 处理
- 作用:主要用于实现Docker容器之间的网络隔离
- DOCKER
- docker自动创建的iptables规则
注意的是,iptables的规则是匹配到即跳出。
- DOCKER-USER
3. 操作
如上文,我们只需修改预留给我们的filter表的DOCKER-USER链即可
iptables -I DOCKER-USER -p tcp --dport 80 -j DROP
iptables -I DOCKER-USER -s 10.10.181.201 -p tcp --dport 80 -j ACCEPT