Docker环境下的iptables策略详解与用户自定义策略添加

Docker环境下的iptables策略详解与用户自定义策略添加

引用

CSDN

1.

https://blog.csdn.net/xingzuo_1840/article/details/140092496

在Docker环境中，传统的iptables规则可能无法按预期工作，因为Docker会自动添加和修改iptables规则以管理容器间的网络通信。本文将详细介绍Docker对iptables规则的影响，并演示如何在Docker环境中添加自定义的iptables策略，以允许指定主机访问容器提供的服务。

1. 需求

• 需求：iptables增加策略，允许指定主机访问本机的指定端口，但是该端口是docker容器提供的服务。

2. 分析

不想了解原理，直接操作的可以跳过本节

2.1 缘起

• 如果不是docker，我们可以这样写：

iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -s 10.10.181.198 -p tcp --dport 80 -j ACCEPT

• 但是docker建立了自己的iptables规则，将绕过filter表的INPUT链，接下来我们分析docker的iptables规则：

2.2 docker的iptables规则

• 但是对于docker，访问则绕过了filter表的INPUT链
• 而是通
  注意：但是本机访问docker服务或容器间互访，依然通过的是filter表的INPUT链

1）nat表

查看iptables的nat表，内容如下：

[root@liubei-test nginx01]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !loopback/8           ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  172.20.0.0/16        anywhere
MASQUERADE  all  --  172.19.0.0/16        anywhere
MASQUERADE  all  --  172.29.0.0/16        anywhere
MASQUERADE  all  --  192.168.176.0/20     anywhere
MASQUERADE  tcp  --  192.168.176.2        192.168.176.2        tcp dpt:netopia-vo2
MASQUERADE  tcp  --  172.29.0.2           172.29.0.2           tcp dpt:20090
MASQUERADE  tcp  --  172.29.0.2           172.29.0.2           tcp dpt:10090
MASQUERADE  tcp  --  172.29.0.2           172.29.0.2           tcp dpt:lrp
MASQUERADE  tcp  --  172.20.0.2           172.20.0.2           tcp dpt:http
MASQUERADE  tcp  --  172.19.0.2           172.19.0.2           tcp dpt:http
Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:172.20.0.2:80

1. Chain PREROUTING 将请求转发到DOCKER链处理：
   DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL

• ADDRTYPE：iptables的一个扩展模块，用于根据地址类型进行匹配。
• dst-type LOCAL：表示目标地址必须是本地地址

2. Chain DOCKER 修改了目标地址：
   DNAT tcp -- anywhere anywhere tcp dpt:http to:172.20.0.2:80

2）filter表

[root@liubei-test src]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  10.10.87.18          anywhere             tcp dpt:2375
DROP       tcp  --  anywhere             anywhere             tcp dpt:2375
Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain DOCKER (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

1. 因为nat表修改了访问的目标地址，因此不再由filter表的INPUT链处理，而是交给了filter表的FORWARD链处理
2. FORWARD链会将请求依次交给如下链处理

• DOCKER-USER
• 作用：允许用户在此自定义规则
• Chain DOCKER-ISOLATION-STAGE-1
• 选择交给Chain DOCKER-ISOLATION-STAGE-2 处理
• 作用：主要用于实现Docker容器之间的网络隔离
• DOCKER
• docker自动创建的iptables规则
  注意的是，iptables的规则是匹配到即跳出。

3. 操作

如上文，我们只需修改预留给我们的filter表的DOCKER-USER链即可

iptables -I DOCKER-USER -p tcp --dport 80 -j DROP
iptables -I DOCKER-USER -s 10.10.181.201 -p tcp --dport 80 -j ACCEPT