Answer the question
In order to leave comments, you need to log in
T
T
theaidem2014-08-06 12:20:01
theaidem, 2014-08-06 12:20:01
What is wrong with iptables?
Hello, there is a cluster of four nodes (node00, node01, node02, node03), each one has a docker container with RethinkDB running, the main base instance is running on node00, and the rest of the instances are attached to the main one. In short, everything works.
I'm trying to close the admin panel which is on http: //: 8080
According to the guide on off. I write the rules on the site (in node00):
sudo iptables -A INPUT -i eth0 -p tcp --dport 8080 -j DROP
sudo iptables -I INPUT -i eth0 -s 127.0.0.1 -p tcp --dport 8080 -j ACCEPTbut I go to http: //: 8080 and still lets me into the admin panel. I obviously do not know something applying the rules for iptables. Tell me who will figure it out ..
Here is ifconfig:
docker0 Link encap:Ethernet HWaddr 56:84:7a:fe:97:99
inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::5484:7aff:fefe:9799/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34790 errors:0 dropped:0 overruns:0 frame:0
TX packets:34048 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8943417 (8.9 MB) TX bytes:22696020 (22.6 MB)
eth0 Link encap:Ethernet HWaddr 52:54:00:10:35:e2
inet addr:10.7.8.185 Bcast:10.7.255.255 Mask:255.248.0.0
inet6 addr: fe80::5054:ff:fe10:35e2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4222 errors:0 dropped:0 overruns:0 frame:0
TX packets:6795 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:253320 (253.3 KB) TX bytes:439457 (439.4 KB)
eth1 Link encap:Ethernet HWaddr 52:54:00:10:35:e3
inet addr:XX.XX.XX.XX Bcast:XX.XX.XX.XX Mask:255.255.254.0
inet6 addr: XXXX::XXX:XXXX:XXXX:XXXX/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34464 errors:0 dropped:0 overruns:0 frame:0
TX packets:35081 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22740953 (22.7 MB) TX bytes:9462538 (9.4 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2548 errors:0 dropped:0 overruns:0 frame:0
TX packets:2548 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:129482 (129.4 KB) TX bytes:129482 (129.4 KB)
vethfcf9 Link encap:Ethernet HWaddr 1e:7a:6d:6c:34:85
inet6 addr: fe80::1c7a:6dff:fe6c:3485/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:34790 errors:0 dropped:0 overruns:0 frame:0
TX packets:34052 errors:0 dropped:2 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9430477 (9.4 MB) TX bytes:22696320 (22.6 MB)iptables -L -v -n (default):
Chain INPUT (policy ACCEPT 3982 packets, 183K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24646 2889K ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8080
4402 7266K ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:29019
0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:28015
7013 12M ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
36851 9396K ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 5399 packets, 290K bytes)
pkts bytes target prot opt in out source destination[email protected]:~# cat /etc/iptables.rules
# Generated by iptables-save v1.4.12 on Wed Aug 6 14:29:35 2014
*filter
:INPUT ACCEPT [253:14212]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [271:17871]
-A INPUT -p tcp -m tcp --dport 8080 -j DROP
-A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 29015 -j ACCEPT
-A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 28015 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
# Completed on Wed Aug 6 14:29:35 2014
# Generated by iptables-save v1.4.12 on Wed Aug 6 14:29:35 2014
*nat
:PREROUTING ACCEPT [5:276]
:INPUT ACCEPT [2:100]
:OUTPUT ACCEPT [731:44019]
:POSTROUTING ACCEPT [1075:64659]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 28015 -j DNAT --to-destination 172.17.0.2:28015
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 29015 -j DNAT --to-destination 172.17.0.2:29015
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:8080
COMMIT
# Completed on Wed Aug 6 14:29:35 2014 1 answer(s)
@theaidem
B
bazil11, 2014-08-06 @theaidem
Perhaps a cant with the order of application of the rules?
You add a rule to DROP through -A (Append, to the end of the chain), and to ACCEPT through -I (Insert, it's generally strange, after specifying the chain, you need to specify the number of the rule that will be added). Can you also do iptables-save?
In general, your INPUT chain is empty (or "by default" in brackets, are these values before adding rules?)
Similar questions
A
A
D
A
R
Roma2014-02-26 10:58:14
How to stream video from a camera (rtsp/mjpeg) to a website (mms/wmv1)?
2Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question