Of Stack

A simple configuration tutorial for CentOS7 Docker firewall

  • 2020-08-22 23:01:04
  • OfStack

Simple configuration of CentOS7 Docker firewall

Disable the firewalld service 


systemctl disable firewalld
systemctl stop firewalld

Install the iptables firewall service 


yum install iptables-services

Create the iptables configuration script 


cat >> /usr/local/bin/fired.sh <<'EOF'
#!/bin/bash

iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -i eth0 -m state -state NEW -m recent -update -seconds 60 -hitcount 50 -j DROP
#iptables -A OUTPUT -o eth0 -m owner -uid-owner vivek -p tcp --dport 80 -m state -state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p tcp --dport 2376 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 --sport 1024:65534 -j ACCEPT

# OpenVPN Configuration
# iptables -A POSTROUTING -t nat -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# iptables -A FORWARD -i tun+ -j ACCEPT
# iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p TCP -i eth0 --dport 10173 --sport 1024:65534 -j ACCEPT
# iptables -A INPUT -p UDP -i eth0 --dport 10173 --sport 1024:65534 -j ACCEPT
EOF

chmod +x /usr/local/bin/fired.sh

Add the boot TAB 


cat >> /etc/rc.d/rc.local <<EOF

# Firewall & Docker
/usr/bin/systemctl start iptables.service
/usr/local/bin/fired.sh
/usr/bin/systemctl start docker
EOF

chmod +x /etc/rc.d/rc.local

Disable auto-start of related services 


#  note : Docker  It will be added automatically when it starts 1 some 

systemctl disable iptables.service
systemctl disable docker

docker in centos7 under 1 pit

Install mysql on docker prompt chown mod /var/lib/mysql permission denied use method 1 below.

Mount the data volume on centos and report an error with permission denied when accessing the data volume inside the container. This is resolved by method 1 below.

1.Centos7 Security Selinux has disabled some security permissions, causing mysql and mariadb to prompt the following messages when mounting /var/lib/mysql: 


[root@localhost mariadb]# docker run -d -v ~/mariadb/data/:/var/lib/mysql -v ~/mariadb/config/:/etc/mysql/conf.d -e MYSQL_ROOT_PASSWORD= ' 123456 '  test01/mariadb
19c4aa113c610f53f9720ee806e3c918dd18d21dff75c043bdd6db60011a135d
[root@localhost mariadb]# docker ps -a
CONTAINER ID  IMAGE    COMMAND     CREATED    STATUS      PORTS          NAMES
19c4aa113c61  test01/mariadb  "docker-entrypoint.sh" 4 seconds ago  Exited (1) 1 seconds ago            desperate_kelle

logs command view, found the prompt message is: chown: changing ownership of ‘/var/lib/mysql/....‘: Permission denied

So there are three solutions:

Add to docker run --privileged=true Assign specific permissions to the container Close the selinux Add rules in selinux and modify the mount directory de

2. Sometimes, when you start a container with a port map, the following prompts appear: 


1 iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 52080 -j DNAT --to-destination 192.168.20.22:52080 ! -i docker0: iptables: No chain/target/match by that name

This thing, check to also did not give explanation, refer to the next http: / / www lxy520. net 2015/09/24 / centos - 7 - docker - qi - dong - bao /, says the article iptables to modify files, just centos7 likely won't have this file, or no iptables service, the results finally restart the host machine, restored, try to use during firewall - cmd command to query, and stop the firewall.

conclusion

Related articles: