Of Stack

docker details setting up the container firewall

  • 2020-06-03 08:49:59
  • OfStack

docker container firewall Settings

Add parameters when starting the container

Approach 1: Be completely open 


--privileged=true

But that leaves all the capabilities of the system open to the Docker container

One image for aaa will start as the container named bbb and needs to use the iptables function inside the container. privileged=true can be used to start, such as: 


docker run --privileged=true -d -p 4489:4489/tcp --name bbb aaa

Method 2: Partial opening

Permissions required by iptables are open, and other permissions are not 


--cap-add NET_ADMIN --cap-add NET_RAW

Operation instance (bridge mode configuration container firewall) : 


# Generated container 
docker run -itd --net=none --name=centos06 --cpuset-cpus="0-3" -m 1024M --memory-reservation 1024M --cap-add NET_ADMIN --cap-add NET_RAW ssh-java1.8-tomcat8-centos6 /bin/bash
# Configure the network IP
pipework br0 centos06 132.97.8.6/24@132.97.8.1
# Into the container 
docker attach centos06

# Set the firewall for the container 
[root@dee8225a9bba /]# iptables -A INPUT -s 132.97.0.0/16 -p tcp -m tcp --dport 21 -j ACCEPT
[root@dee8225a9bba /]# iptables -A INPUT -s 132.97.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
[root@dee8225a9bba /]# iptables -A INPUT -s 132.97.0.0/16 -p tcp -m tcp --dport 8080 -j ACCEPT
[root@dee8225a9bba /]# iptables -A INPUT -j DROP
[root@dee8225a9bba /]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@dee8225a9bba /]# service iptablse restart
iptablse: unrecognized service
[root@dee8225a9bba /]# service iptables restart
iptables: Setting chains to policy ACCEPT: mangle nat filte[ OK ]
iptables: Flushing firewall rules:       [ OK ]
iptables: Unloading modules: iptable_mangle iptable_nat ip[FAILED]lter iptable_mangle iptable_nat iptable_filter ip_tables
iptables: Applying firewall rules:       [ OK ]
[root@dee8225a9bba /]#

Reference: https: / / www. ofstack. com article / 103515. htm

Thank you for reading, I hope to help you, thank you for your support to this site!

Related articles: