我有一个安装了Docker的Linux服务器。我想配置INPUT链来限制一些可信的IP连接。因此,我添加了一些ACCEPT规则,并将INPUT链的默认POLICY更改为DROP。则无法从受信任的IP访问网络。我不知道为什么
我是新来的iptables。Docker链/规则是否影响INPUT链的默认POLICY?为什么我做的配置没有按预期工作!
[root@localhost ~]# iptables -F INPUT
[root@localhost ~]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
[root@localhost ~]# iptables -A INPUT -s 113.55.0.0/16 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -s 202.203.0.0/16 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -L INPUT -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 113.55.0.0/16 0.0.0.0/0
ACCEPT all -- 202.203.0.0/16 0.0.0.0/0
ACCEPT all -- 10.0.0.0/8 0.0.0.0/0
ACCEPT all -- 172.16.0.0/12 0.0.0.0/0
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
[root@localhost ~]# # Then the traffic from the accept IP is not working anymore!
[root@localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 113.55.0.0/16 0.0.0.0/0
ACCEPT all -- 202.203.0.0/16 0.0.0.0/0
ACCEPT all -- 10.0.0.0/8 0.0.0.0/0
ACCEPT all -- 172.16.0.0/12 0.0.0.0/0
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (11 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6049
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6049
ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.19.0.3 tcp dpt:3000
ACCEPT tcp -- 0.0.0.0/0 172.21.0.3 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6048
ACCEPT tcp -- 0.0.0.0/0 172.17.0.4 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.21.0.4 tcp dpt:1157
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6048
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6047
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6047
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6046
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6046
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6045
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6045
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6044
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6044
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6043
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6043
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6042
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6042
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6041
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6041
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6040
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6040
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6039
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6039
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6038
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6038
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6037
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6037
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6036
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6036
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6035
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6035
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6034
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6034
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6033
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6033
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6032
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6032
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6031
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6031
ACCEPT tcp -- 0.0.0.0/0 172.21.0.2 tcp dpt:6030
ACCEPT udp -- 0.0.0.0/0 172.21.0.2 udp dpt:6030
ACCEPT tcp -- 0.0.0.0/0 172.25.0.2 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 172.25.0.2 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:5678
ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:3000
ACCEPT tcp -- 0.0.0.0/0 172.17.0.7 tcp dpt:3000
ACCEPT tcp -- 0.0.0.0/0 172.26.0.2 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.26.0.4 tcp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 172.27.0.6 tcp dpt:8088
ACCEPT tcp -- 0.0.0.0/0 172.17.0.8 tcp dpt:8080
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (11 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@localhost ~]#
1条答案
按热度按时间bvhaajcl1#
我必须添加这个规则
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
,因为我使用nginx作为反向代理,proxy_pass
到127.0.0.1环回地址。