Site icon 时鹏亮的Blog

Docker重启后iptables禁止的端口又可以访问的趣事

请知悉:本文最近一次更新为 6个月 前,文中内容可能已经过时。

这事儿吧,之前公司搞什么劳什子的护网,扫到了我内网开的一台仅供内网使用的Kafka和zookeeper服务。

就不说这护网有个鸡毛的意义了,单纯的看问题。

当时的情况是,iptables明确只允许某个IP访问Kafka的端口,执行后也有效,但Docker一旦重启,就立马变成了全部IP可以访问。后来由于手头有更重要的,索性容器关了,要用自己去云上自建区吧,不陪你们玩儿了。

这事儿悬而未决,放在待办清单里,直到最近有空了,静下心来搞两台虚拟机测试,完全能够复现当时的场景。问题问了GPT 4.0-0125-preview和谷歌双子星,得到的答案并不能令人信服。

还好,问到GPT-4-turbo-2024-04-09,得到了比较靠谱的答案:

The issue you are experiencing is likely due to Docker modifying the iptables rules when the Docker service is restarted. Docker manages its own network rules, and it automatically configures the iptables to ensure that containers can communicate correctly and be accessible as required. When Docker starts, it adds rules to the FORWARD chain to allow traffic to and from its containers.
Why Docker Changes iptables on Restart

When Docker is restarted, it reinitializes its network environment, which includes setting up iptables rules to allow for network traffic to reach the containers. This includes adding rules to the FORWARD chain, which is not directly impacted by the rules you’ve set to the INPUT chain.

Your current iptables configuration only modifies the INPUT chain, which handles incoming connections directly to the host. Docker, on the other, usually relies on the FORWARD chain for routing traffic to containers. This is why your restriction on port 80 gets overridden once Docker restarts.
How to Solve This

To consistently enforce your access rules even when Docker is restarted, consider the following approaches:
1. Direct Docker iptables Rules

You can instruct Docker not to modify iptables by adding a configuration setting in the Docker daemon settings. Here’s how to do it:
Edit the Docker daemon configuration file, usually located at /etc/docker/daemon.json. If the file does not exist, you can create it.

{
"iptables": false
}

Restart Docker:

systemctl restart docker

This configuration tells Docker not to alter iptables rules. You will then need to manually manage all the networking rules needed for Docker containers to communicate with the outside world.
2. Adjust Existing iptables and Docker

If you don’t want to disable Docker’s manipulation of iptables:

Allow traffic to Docker containers through iptables while maintaining access rules:

Add iptables rules to selectively allow traffic to specific containers or to Docker’s default bridge network (usually 172.17.0.0/16 by default), or potentially use a different Docker network mode (like host or none).

Make your firewall rules persistent across restarts:

After setting up satisfactory rules that manage both Docker traffic and your other security requirements, ensure these rules are reloaded automatically on boot before Docker starts. This typically involves saving your iptables configuration and using system hooks (e.g., init scripts or systemd services) to reload the rules before Docker’s service initiates.

Continuously monitor and adjust rules:

Maintain vigilance on how your rules are working out and adjust them as needed. Docker network changes or additional containers might require adjustments.

Conclusion

Making sure the Docker daemon’s manipulation of iptables aligns with your security policies requires careful planning and testing. Depending on your specific requirements and network setup, you might choose to disable Docker’s iptables management and handle rules completely manually, or integrate Docker’s automatic rules with manual adjustments to achieve the desired network control. Either way, ensuring your configurations are well-documented and version-controlled can save a lot of headaches in managing complex environments like these.

通过建议的第一个方案禁止Docker自动添加iptables规则后,重启Docker也能让防火墙屏蔽规则按预期运转了。

随手记录一下供后人参阅。我所知的就是自己是多么的无知。


如您从本文得到了有价值的信息或帮助,请考虑扫描文末二维码捐赠和鼓励。

尊重他人劳动成果。转载请务必附上原文链接,我将感激不尽。


与《Docker重启后iptables禁止的端口又可以访问的趣事》相关的博文:

Exit mobile version