禁止从docker容器访问LAN

本文介绍了禁止从docker容器访问LAN的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述 我正在Docker的Ubuntu容器中运行Gentoo主机。他们通过Docker自动创建的桥进行通信。我想删除可能从容器出来的192.168.0.0/16的所有流量。

$ sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT - P OUTPUT ACCEPT -A FORWARD -d 172.17.0.2/32！ -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -o docker0 -m conntrack --ctstate相关，ESTABLISHED -j ACCEPT -A FORWARD -i docker0！ -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT $ sudo iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N DOCKER -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT！ -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16！ -o docker0 -j MASQUERADE -A DOCKER！ -i docker0 -p tcp -m tcp --dport 443 -j DNAT - 目的地172.17.0.2:443

如果我需要提供额外的信息，请让我知道

解决方案

一个选项是运行docker with - icc = false ，防止任何容器与主机或其他容器通信，然后可以通过将容器与 --link = container_name：别名。

您还可以使用iptables来执行以下规则：

iptables -A INPUT -i docker0 -d 192.168.0.0/16 -j DROP

请记住，主机不会看到由icmp错误返回的丢包，所以在大多数情况下，REJECT可能更合适。

编辑：修改规则以阻止转发给其他主机：

iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -j DROP

I am running Gentoo host with Ubuntu container in Docker. They communicate via bridge automatically created by Docker. I would like to drop all traffic for 192.168.0.0/16 that may come out of container.

$sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT $sudo iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N DOCKER -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443

Please let me know if I need to provide extra information

解决方案

One option would be to run docker with --icc=false, preventing any container to communicate with the host or with other containers, you could then let containers communicate with each other by linking them with --link=container_name:alias.

You could also operate with iptables with a rule like:

iptables -A INPUT -i docker0 -d 192.168.0.0/16 -j DROP

keep in mind that a host doesn't see dropped packet coming back by icmp error, so maybe REJECT is more appropriate in most cases.

edit: correcting the rule to block the forward to other hosts:

iptables -I FORWARD -i docker0 -d 192.168.0.0/16 -j DROP