A
A
Artem Ryzhov2016-05-19 18:22:57
System administration
Artem Ryzhov, 2016-05-19 18:22:57

How to close ports opened by Docker?

Good afternoon!
Task: close all ports for outside access, except 22, 80 and 443. At the same time, servers located on the same local network must have access to all ports listening on this server.
Created iptables rules:
-P INPUT DROP
-A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/1 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 192.168.1.100/32 -j ACCEPT
-A INPUT -s 192.168.1.101/32 -j ACCEPT
-A INPUT -s 192.168.1.102/32 - j ACCEPT
-A INPUT -i docker0 -j ACCEPT
Everything works, but after starting the docker containers, docker adds rules to its chain that open access to listening ports to the outside:
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 27017 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 27017 -j ACCEPT
-A DOCKER -d 172.17.0.12/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.20/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
How to properly solve this problem so that open container ports are closed to the outside and are available only for certain servers specified in the INPUT chain?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
D
Dmitry Shitskov, 2016-05-20
@Zarom

Try setting up docker based on the official network configuration documentation:
https://docs.docker.com/v1.8/articles/networking/
I think if you disable some options like --ip-forward and --iptables then you can use your own rule chains.

M
MOTORIST, 2017-10-03
@MOTORIST

Create a file
/etc/systemd/system/docker.service.d/noiptables.conf
Throw in the file
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false
Then configure via iptables

M
moropsk, 2018-01-08
@moropsk

if it's still relevant, I found it here https://fralef.me/docker-and-iptables.html
do this
docker run --name squid -d --restart=always \
--publish 192.168.2.41:3128:3128 \

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question