Docker traffic blocking how to do?

K

kiranananda2019-02-17 20:55:08

Docker

kiranananda, 2019-02-17 20:55:08

Hello!
Something completely blunted. I have swarm. And I need to allow only a few ports for access from the outside, for example, port 5000 (repository) is definitely not allowed there, and some local services. And everything would be fine, block yourself calmly in the input and enjoy life, but everything turned out to be so fun.
The nat table has a topic like this

Chain DOCKER-INGRESS (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   384 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:172.18.0.2:8080
19766 1303K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

and all traffic goes to docker host 172.18.0.2. And that is clearly not the current node. How to fit in here so correctly that it would not break other rules? I want to block everyone, and then allow whoever I can... At worst, of course, you can block unnecessary addresses, but there are more chances to make a mistake...

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

kiranananda, 2019-02-17
@kiranananda

But I sort of figured it out, the fastest way is to write here and ideas immediately come :) ...
Cunning dnats and other things, plus reading the docks again. In general, you need to filter in the
DOCKER-USER chain. Then it's all good :)