-
-
Save liejuntao001/266f2c5a5e85be70201eee9bcbd2b4a4 to your computer and use it in GitHub Desktop.
*filter | |
:INPUT ACCEPT [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:FILTERS - [0:0] | |
:DOCKER-USER - [0:0] | |
-F INPUT | |
-F DOCKER-USER | |
-F FILTERS | |
# BASIC Allow | |
-A INPUT -i lo -j ACCEPT | |
# Chain to FILTERS | |
-A INPUT -j FILTERS | |
-A DOCKER-USER -i eth0 -j FILTERS | |
# COMMON FIREWALL RULES | |
# ALLOW something | |
-A FILTERS -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
# DENY something | |
-A FILTERS -p icmp --icmp-type echo-request -j REJECT | |
################################################################### | |
### special cases for servers | |
### please modify by the server | |
### end special cases | |
############################################################ | |
# FINAL REJECT | |
# Optional logging | |
-A FILTERS -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7 | |
-A FILTERS -j REJECT | |
COMMIT |
After some study I found this line will allow access to container port 80 when jumped from DOCKER-USER to FILTERS
-A DOCKER-USER -i wlp3s0 -j FILTERS
-A FILTERS -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Here the "80, 443" are not the port on the host side of the binding, but container side
e.g. 8080:80, 8080, the left side, host side port, and 80, the right side, container side.
If you modify the rule as
-A FILTERS -p tcp -m multiport --dports 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
then 8080 port is not accessible from external.
Thanks for looking into this, really appreciate the help. I think I will stick with my current setup and using double rules in INPUT+DOCKER-USER for the per host per service mapping.
You have a different use case.
Mine is for hosts with 2 interfaces. One is the public IP address serving 80/443, another is private IP serving other internal services. The rules in this example block the unexpected access from the private IP interface.
The official document could help your use case.
https://docs.docker.com/network/iptables/
You could instead allow connections from a source subnet. The following rule only allows access from the subnet 192.168.1.0/24:
$ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
As you have this line
-A DOCKER-USER -i wlp3s0 -j FILTERS
above rule is like
-A FILTERS -i wlp3s0 ! -s 192.168.1.0/24 -j DROP