首页 > 网站技巧 > 服务器 > 云和虚拟化 > docker > docker的iptables策略和用户自定义策略的添加

docker的iptables策略详解和用户自定义策略的添加方式

2024-10-10 11:06:47 作者：玄德公笔记

在Docker环境下,直接修改iptables以允许特定主机访问指定端口时,需要考虑Docker自身的iptables规则,Docker通过修改nat表的PREROUTING链和filter表的FORWARD链来处理外部对Docker容器的访问,绕过了filter表的INPUT链

1. 需求

需求：

iptables增加策略，允许指定主机访问本机的指定端口，但是该端口是docker容器提供的服务。

2. 分析

不想了解原理，直接操作的可以跳过本节

2.1 缘起

如果不是docker，我们可以这样写：

iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -s 10.10.181.198 -p tcp --dport 80 -j ACCEPT

但是docker建立了自己的iptables规则，将绕过filter表的INPUT链，接下来我们分析docker的iptables规则：

2.2 docker的iptables规则

但是对于docker，访问则绕过了filter表的INPUT链
而是通

注意：但是本机访问docker服务或容器间互访，依然通过的是filter表的INPUT链

1）nat表

查看iptables的nat表，内容如下：

[root@liubei-test nginx01]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  172.20.0.0/16        anywhere
MASQUERADE  all  --  172.19.0.0/16        anywhere
MASQUERADE  all  --  172.29.0.0/16        anywhere
MASQUERADE  all  --  192.168.176.0/20     anywhere
MASQUERADE  tcp  --  192.168.176.2        192.168.176.2        tcp dpt:netopia-vo2
MASQUERADE  tcp  --  172.29.0.2           172.29.0.2           tcp dpt:20090
MASQUERADE  tcp  --  172.29.0.2           172.29.0.2           tcp dpt:10090
MASQUERADE  tcp  --  172.29.0.2           172.29.0.2           tcp dpt:lrp
MASQUERADE  tcp  --  172.20.0.2           172.20.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.19.0.2           172.19.0.2           tcp dpt:http

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:172.20.0.2:80

1.Chain PREROUTING 将请求转发到DOCKER链处理：

DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL

ADDRTYPE：iptables的一个扩展模块，用于根据地址类型进行匹配。
dst-type LOCAL：表示目标地址必须是本地地址

2.Chain DOCKER 修改了目标地址：

DNAT tcp -- anywhere anywhere tcp dpt:http to:172.20.0.2:80

2）filter表

[root@liubei-test src]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  10.10.87.18          anywhere             tcp dpt:2375
DROP       tcp  --  anywhere             anywhere             tcp dpt:2375

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

1.因为nat表修改了访问的目标地址，因此不再由filter表的INPUT链处理，而是交给了filter表的FORWARD链处理

2.FORWARD链会将请求依次交给如下链处理

注意的是，iptables的规则是匹配到即跳出。

DOCKER-USER

作用：允许用户在此自定义规则

Chain DOCKER-ISOLATION-STAGE-1

选择交给Chain DOCKER-ISOLATION-STAGE-2 处理
作用：主要用于实现Docker容器之间的网络隔离

DOCKER

docker自动创建的iptables规则

3. 操作

如上文，我们只需修改预留给我们的filter表的DOCKER-USER链即可

iptables -I DOCKER-USER -p tcp --dport 80 -j DROP
iptables -I DOCKER-USER -s 10.10.181.201 -p tcp --dport 80 -j ACCEPT

总结

以上为个人经验，希望能给大家一个参考，也希望大家多多支持脚本之家。