Cấu hình Iptables với Docker Container

Để​​ hiểu cách thức hoạt động của Iptables các bạn có thể​​ đọc hướng dẫn link:

https://cloudx.com.vn/tim-hieu-iptables/

1./ Ví dụ: Restrict connections to the Docker host

By default, all external source IPs are allowed to connect to the Docker host. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER-USER filter chain. For example, the following rule restricts external access from all IP addresses except 192.168.1.1:

iptables​​ -I​​ DOCKER-USER​​ -i​​ ext_if​​ !​​ -s​​ 192.168.1.1​​ -j​​ DROP

Please note that you will need to change ext_if to correspond with your host’s actual external interface. You could instead allow connections from a source subnet. The following rule only allows access from the subnet 192.168.1.0/24:

iptables​​ -I​​ DOCKER-USER​​ -i​​ ext_if​​ !​​ -s​​ 192.168.1.0/24​​ -j​​ DROP

Finally,​​ you can specify a range of IP addresses to accept using --src-range (Remember to also add -m iprange when using --src-range or --dst-range):

iptables​​ -I​​ DOCKER-USER​​ -m​​ iprange​​ -i​​ ext_if​​ !​​ --src-range​​ 192.168.1.1-192.168.1.3​​ -j​​ DROP

You can combine -s or --src-range with -d or --dst-range to control both the source and destination. For instance, if the Docker daemon listens on both 192.168.1.99 and 10.1.2.3, you can make rules specific to 10.1.2.3 and leave 192.168.1.99 open.

iptables is complicated and more complicated rules are out of scope for this topic. See the Netfilter.org HOWTO for a lot more information.

2./ Ví dụ​​ 2: Docker on a router

Docker also sets the policy for the FORWARD chain to DROP. If your Docker host also acts as a router, this will result in that router not forwarding any traffic anymore. If you want your system to continue functioning as a router, you can add explicit ACCEPT rules to the DOCKER-USER chain to​​ allow it:

$​​ iptables​​ -I​​ DOCKER-USER​​ -i​​ src_if​​ -o​​ dst_if​​ -j​​ ACCEPT

ví dụ​​ khác với các chain cho container

# FORWARD chain
-A FORWARD -o br-b8e25922a2fa xxx
-A FORWARD -o docker0 xxx# DOCKER's chains
-A DOCKER xxx
-A DOCKER-ISOLATION-STAGE-1 xxx
-A DOCKER-ISOLATION-STAGE-2 xxx
-A DOCKER -d 172.18.0.2/32 xxx# NAT
-A POSTROUTING -s -s 172.18.0.2/32 xxx

3./ Ví dụ: Allow range IP 172.16.0.0/26 kết nối đến port 443 state connection tcp new

iptables -A INPUT -p tcp --dport 443 -s 172.16.0.0/26 -m state --state NEW,ESTABLISHED

Tất nhiên là cần 1 Rule deny all đặt​​ ở​​ cuối cùng

iptables -A INPUT -j DROP

Với docker container

iptables -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp — dport 443 -j ACCEPT

4./ Chặn mọi kết nối ngoại trừ local đến 1 cổng trên container.

chặn mọi kết nối từ bên ngoài đến cổng 9272 giao thức tcp.

-I DOCKER-USER -i ens160 ! -s 127.0.0.1 -p tcp --dport 9272 -j DROP

Lưu ý: Interface bị chặn là​​ Interface vật lý.​​ 

5./ Tham khảo

https://cloudx.com.vn

https://docs.docker.com/network/iptables/

https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45

https://medium.com/swlh/manage-iptables-firewall-for-docker-kubernetes-daa5870aca4d

https://www.jeffgeerling.com/blog/2020/be-careful-docker-might-be-exposing-ports-world