A simple configuration tutorial for CentOS7 Docker firewall
- 2020-08-22 23:01:04
- OfStack
Simple configuration of CentOS7 Docker firewall
Disable the firewalld service
systemctl disable firewalld
systemctl stop firewalld
Install the iptables firewall service
yum install iptables-services
Create the iptables configuration script
cat >> /usr/local/bin/fired.sh <<'EOF'
#!/bin/bash
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -i eth0 -m state -state NEW -m recent -update -seconds 60 -hitcount 50 -j DROP
#iptables -A OUTPUT -o eth0 -m owner -uid-owner vivek -p tcp --dport 80 -m state -state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p tcp --dport 2376 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 --sport 1024:65534 -j ACCEPT
# OpenVPN Configuration
# iptables -A POSTROUTING -t nat -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# iptables -A FORWARD -i tun+ -j ACCEPT
# iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p TCP -i eth0 --dport 10173 --sport 1024:65534 -j ACCEPT
# iptables -A INPUT -p UDP -i eth0 --dport 10173 --sport 1024:65534 -j ACCEPT
EOF
chmod +x /usr/local/bin/fired.sh
Add the boot TAB
cat >> /etc/rc.d/rc.local <<EOF
# Firewall & Docker
/usr/bin/systemctl start iptables.service
/usr/local/bin/fired.sh
/usr/bin/systemctl start docker
EOF
chmod +x /etc/rc.d/rc.local
Disable auto-start of related services
# note : Docker It will be added automatically when it starts 1 some
systemctl disable iptables.service
systemctl disable docker
docker in centos7 under 1 pit
Install mysql on docker prompt chown mod /var/lib/mysql permission denied use method 1 below.
Mount the data volume on centos and report an error with permission denied when accessing the data volume inside the container. This is resolved by method 1 below.
1.Centos7 Security Selinux has disabled some security permissions, causing mysql and mariadb to prompt the following messages when mounting /var/lib/mysql:
[root@localhost mariadb]# docker run -d -v ~/mariadb/data/:/var/lib/mysql -v ~/mariadb/config/:/etc/mysql/conf.d -e MYSQL_ROOT_PASSWORD= ' 123456 ' test01/mariadb
19c4aa113c610f53f9720ee806e3c918dd18d21dff75c043bdd6db60011a135d
[root@localhost mariadb]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
19c4aa113c61 test01/mariadb "docker-entrypoint.sh" 4 seconds ago Exited (1) 1 seconds ago desperate_kelle
logs command view, found the prompt message is:
chown: changing ownership of ‘/var/lib/mysql/....‘: Permission denied
So there are three solutions:
Add to docker run--privileged=true
Assign specific permissions to the container
Close the selinux
Add rules in selinux and modify the mount directory de
2. Sometimes, when you start a container with a port map, the following prompts appear:
1 iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 52080 -j DNAT --to-destination 192.168.20.22:52080 ! -i docker0: iptables: No chain/target/match by that name
This thing, check to also did not give explanation, refer to the next http: / / www lxy520. net 2015/09/24 / centos - 7 - docker - qi - dong - bao /, says the article iptables to modify files, just centos7 likely won't have this file, or no iptables service, the results finally restart the host machine, restored, try to use during firewall - cmd command to query, and stop the firewall.
conclusion