Answer the question
In order to leave comments, you need to log in
How to close ports opened by Docker?
Good afternoon!
Task: close all ports for outside access, except 22, 80 and 443. At the same time, servers located on the same local network must have access to all ports listening on this server.
Created iptables rules:
-P INPUT DROP
-A INPUT -p tcp -m tcp -m multiport --dports 22,80,443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/1 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 192.168.1.100/32 -j ACCEPT
-A INPUT -s 192.168.1.101/32 -j ACCEPT
-A INPUT -s 192.168.1.102/32 - j ACCEPT
-A INPUT -i docker0 -j ACCEPT
Everything works, but after starting the docker containers, docker adds rules to its chain that open access to listening ports to the outside:
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER -d 172.17.0.6/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 27017 -j ACCEPT
-A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 27017 -j ACCEPT
-A DOCKER -d 172.17.0.12/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.20/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
How to properly solve this problem so that open container ports are closed to the outside and are available only for certain servers specified in the INPUT chain?
Answer the question
In order to leave comments, you need to log in
Try setting up docker based on the official network configuration documentation:
https://docs.docker.com/v1.8/articles/networking/
I think if you disable some options like --ip-forward and --iptables then you can use your own rule chains.
Create a file
/etc/systemd/system/docker.service.d/noiptables.conf
Throw in the file
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --iptables=false
Then configure via iptables
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question