堆栈内存溢出
  简体   繁体   English

禁止从Docker容器到内部网络的流量

[英]Don't allow traffic from docker container to internal network

 原文  2019-04-05 18:59:20       docker/ docker-swarm

问题描述

I have a web application, where users can register and start containers with a few clicks. 我有一个Web应用程序,用户只需单击几下即可注册和启动容器。 The creation of the container is done by commuication of my web application with the docker deamon via tcp. 容器的创建是通过tcp将我的Web应用程序与docker deamon通信来完成的。

My problem now is, that the user can also upload binary files via FTP into their docker volume. 我现在的问题是,用户还可以通过FTP将二进制文件上传到他们的docker卷中。 All binaries are loaded after a start of the container. 启动容器后,将加载所有二进制文件。 So people could run every piece of code inside of the container and also start sending packets in my internal network to unsecured endpoints. 因此,人们可以在容器内部运行每段代码,也可以开始在我的内部网络中向不安全的端点发送数据包。 From inside of the container I can ping the docker host and other nodes, that are in my local network. 从容器内部,我可以对本地网络中的docker主机和其他节点执行ping操作。

My goal is, that the containers should only be able to communicate with endpoints outside of my network. 我的目标是,这些容器只能与网络外部的端点进行通信。 Is there a way, to achieve this desired behaviour? 有没有办法实现这种期望的行为?

1 个解决方案

解决方案1
 0  2019-04-06 07:53:54

This is not really a docker specfic problem. 这并不是一个特定于码头工人的问题。 It seems what you want to do is block access from an internal network range (let's call it docker-range ) to your other internal network hosts, but still allow docker-range access to the public internet. 似乎您想要做的是阻止从内部网络范围(称为docker-range )到其他内部网络主机的访问,但仍允许docker-range访问公共互联网。

You need to change your routing and firewall settings to achieve this. 您需要更改路由和防火墙设置才能实现此目的。 If you are on Linux, I would suggest to use iptables . 如果您使用Linux,则建议使用iptables

With the example bridge network configuration given in the docker docs this could look similar to 借助docker docs中提供的示例网桥网络配置,这看起来类似于 

sudo iptables -A FORWARD --source 192.168.1.5/24 --destination 10.0.0.0/24 -j REJECT

source would be your docker bridge network ( docker-range ), --destination would be your other internal hosts. source将是您的--destination桥接网络( --destination -range ),-- --destination将是您的其他内部主机。

You need to make sure that the traffic from the docker containers goes through this firewall. 您需要确保来自Docker容器的流量通过此防火墙。 Usually, you would apply the configuration at the router set as default-gateway in the docker bridge network configuration. 通常,您将在配置为docker bridge网络配置中default-gateway的路由器上应用配置。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 允许从本地主机到 docker 容器的流量 - Allow traffic from localhost to docker container 允许 docker 容器接受来自公共 IP 的流量 - Allow docker container to accept traffic from public IPs UFW 允许来自 Docker 的流量 - UFW to allow traffic from Docker 主机网络上的Nginx Docker容器不提供Angular应用 - Nginx docker container on host network don't serve angular app 从内部网络中的另一台机器访问 Docker 容器 - Accessing Docker container from another machine in an internal network 允许我的Docker容器发出网络请求 - Allow my docker container to make network requests 无法将流量传入Docker容器 - Can't get traffic into docker container 码头集装箱不停 - docker container don't stop Docker 容器不启动 - Docker container don't start 我如何评价 docker 容器上的 limit.network 流量 - How can I rate limit network traffic on a docker container
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM