INPUT 체인의 필터링은 Docker 전달 포트에 적용되지 않습니다.

tag-icon tag-icon iptables docker
INPUT 체인의 필터링은 Docker 전달 포트에 적용되지 않습니다.

나는 docker 내의 포트 80을 호스트 컴퓨터의 20080에 노출하는 docker 응용 프로그램을 실행하는 Linux 서버를 가지고 있습니다.

서버에 IP 주소가 있으므로 해당 포트 에 대한 액세스를 10.10.10.10차단해야 합니다 .10.10.10.1110.10.10.10:20080

그러나 INPUT 체인에 DROP을 추가해도 효과가 없으며 포트에 계속 액세스할 수 있습니다. 어떤 아이디어가 있나요?

첨부된 내용은 전체 iptables 규칙입니다.

# iptables-save
# Generated by iptables-save v1.8.7 on Thu Jul  6 22:26:24 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m tcp --dport 20080 -j DROP
-A FORWARD -p tcp -m tcp --dport 20080 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-643859f655c0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-643859f655c0 -j DOCKER
-A FORWARD -i br-643859f655c0 ! -o br-643859f655c0 -j ACCEPT
-A FORWARD -i br-643859f655c0 -o br-643859f655c0 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-643859f655c0 ! -o br-643859f655c0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-643859f655c0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Thu Jul  6 22:26:24 2023
# Generated by iptables-save v1.8.7 on Thu Jul  6 22:26:24 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-643859f655c0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-643859f655c0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 20080 -j DNAT --to-destination 172.17.0.4:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 20022 -j DNAT --to-destination 172.17.0.4:22
COMMIT
# Completed on Thu Jul  6 22:26:24 2023

ベストアンサー1

おすすめ記事