docker details setting up the container firewall
- 2020-06-03 08:49:59
- OfStack
docker container firewall Settings
Add parameters when starting the container
Approach 1: Be completely open
--privileged=true
But that leaves all the capabilities of the system open to the Docker container
One image for aaa will start as the container named bbb and needs to use the iptables function inside the container. privileged=true can be used to start, such as:
docker run --privileged=true -d -p 4489:4489/tcp --name bbb aaa
Method 2: Partial opening
Permissions required by iptables are open, and other permissions are not
--cap-add NET_ADMIN --cap-add NET_RAW
Operation instance (bridge mode configuration container firewall) :
# Generated container
docker run -itd --net=none --name=centos06 --cpuset-cpus="0-3" -m 1024M --memory-reservation 1024M --cap-add NET_ADMIN --cap-add NET_RAW ssh-java1.8-tomcat8-centos6 /bin/bash
# Configure the network IP
pipework br0 centos06 132.97.8.6/24@132.97.8.1
# Into the container
docker attach centos06
# Set the firewall for the container
[root@dee8225a9bba /]# iptables -A INPUT -s 132.97.0.0/16 -p tcp -m tcp --dport 21 -j ACCEPT
[root@dee8225a9bba /]# iptables -A INPUT -s 132.97.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
[root@dee8225a9bba /]# iptables -A INPUT -s 132.97.0.0/16 -p tcp -m tcp --dport 8080 -j ACCEPT
[root@dee8225a9bba /]# iptables -A INPUT -j DROP
[root@dee8225a9bba /]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@dee8225a9bba /]# service iptablse restart
iptablse: unrecognized service
[root@dee8225a9bba /]# service iptables restart
iptables: Setting chains to policy ACCEPT: mangle nat filte[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: iptable_mangle iptable_nat ip[FAILED]lter iptable_mangle iptable_nat iptable_filter ip_tables
iptables: Applying firewall rules: [ OK ]
[root@dee8225a9bba /]#
Reference: https: / / www. ofstack. com article / 103515. htm
Thank you for reading, I hope to help you, thank you for your support to this site!