[英]How to block the connection to an IP which is created in docker container on host
There is a docker container running in bridge network mode.有一个 docker 容器以桥接网络模式运行。 Inside the container, it creates a connection to, say,
10.123.123.1:6666
.在容器内部,它会创建一个到
10.123.123.1:6666
的连接。 I'd like to block this connection on host through IPTABLES, something like sudo iptables -I OUTPUT -p tcp -d 10.123.123.1 -j DROP
, but it doesn't work.我想通过 IPTABLES 阻止主机上的此连接,例如
sudo iptables -I OUTPUT -p tcp -d 10.123.123.1 -j DROP
,但它不起作用。 Could anyone help me on this please?有人可以帮我吗?
I can't even see this connection on host by command netstat -an
, but I can see it inside the container.我什至无法通过命令
netstat -an
在主机上看到此连接,但我可以在容器内看到它。
I don't have to use IPTABLES, but I can't change the configuration of the docker running.我不必使用 IPTABLES,但无法更改正在运行的 docker 的配置。
These packets are going through INPUT & OUTPUT chains in the container's network namespace, and not in the host's network namespace.这些数据包在容器的网络命名空间中通过 INPUT 和 OUTPUT 链,而不是在主机的网络命名空间中。
All your host network namespace does is forward these packets so you need to alter the FORWARD chain with a rule similar to iptables -I FORWARD -p tcp -d 10.123.123.1 -j DROP
.您的主机网络命名空间所做的只是转发这些数据包,因此您需要使用类似于
iptables -I FORWARD -p tcp -d 10.123.123.1 -j DROP
的规则来更改 FORWARD 链。 Bear in mind that Docker alters iptables rules which may punch holes in the firewall.请记住,Docker 会更改 iptables 规则,这可能会在防火墙上打孔。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.