docker iptables INPUT规则无法正常工作

9vw9lbht  于 2023-06-21  发布在  Docker
关注(0)|答案(1)|浏览(161)

我有一个安装了Docker的Linux服务器。我想配置INPUT链来限制一些可信的IP连接。因此,我添加了一些ACCEPT规则,并将INPUT链的默认POLICY更改为DROP。则无法从受信任的IP访问网络。我不知道为什么
我是新来的iptables。Docker链/规则是否影响INPUT链的默认POLICY?为什么我做的配置没有按预期工作!

[root@localhost ~]# iptables -F INPUT 
[root@localhost ~]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
[root@localhost ~]# iptables -A INPUT -s 113.55.0.0/16 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -s 202.203.0.0/16 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT           
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -L INPUT -n
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  113.55.0.0/16        0.0.0.0/0           
ACCEPT     all  --  202.203.0.0/16       0.0.0.0/0           
ACCEPT     all  --  10.0.0.0/8           0.0.0.0/0           
ACCEPT     all  --  172.16.0.0/12        0.0.0.0/0           
ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0
[root@localhost ~]# # Then the traffic from the accept IP is not working anymore!
[root@localhost ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  113.55.0.0/16        0.0.0.0/0           
ACCEPT     all  --  202.203.0.0/16       0.0.0.0/0           
ACCEPT     all  --  10.0.0.0/8           0.0.0.0/0           
ACCEPT     all  --  172.16.0.0/12        0.0.0.0/0           
ACCEPT     all  --  192.168.0.0/16       0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (11 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:8080
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6049
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6049
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.3           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.19.0.3           tcp dpt:3000
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.3           tcp dpt:3306
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6048
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.4           tcp dpt:1157
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6048
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6047
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6047
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6046
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6046
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6045
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6045
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6044
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6044
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6043
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6043
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6042
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6042
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6041
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6041
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6040
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6040
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6039
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6039
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6038
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6038
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6037
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6037
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6036
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6036
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6035
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6035
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6034
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6034
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6033
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6033
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6032
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6032
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6031
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6031
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:6030
ACCEPT     udp  --  0.0.0.0/0            172.21.0.2           udp dpt:6030
ACCEPT     tcp  --  0.0.0.0/0            172.25.0.2           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            172.25.0.2           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:5678
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.6           tcp dpt:3000
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.7           tcp dpt:3000
ACCEPT     tcp  --  0.0.0.0/0            172.26.0.2           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.26.0.4           tcp dpt:5432
ACCEPT     tcp  --  0.0.0.0/0            172.27.0.6           tcp dpt:8088
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.8           tcp dpt:8080

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (11 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
[root@localhost ~]#
docker

1条答案

按热度按时间
bvhaajcl

bvhaajcl1#

我必须添加这个规则iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT,因为我使用nginx作为反向代理,proxy_pass到127.0.0.1环回地址。

赞(0)分享  回复(0)举报  2023-06-21
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com