如何阻止与在主机上的 docker 容器中创建的 IP 的连接
[英]How to block the connection to an IP which is created in docker container on host
问题描述
There is a docker container running in bridge network mode.
有一个 docker 容器以桥接网络模式运行。 Inside the container, it creates a connection to, say, 10.123.123.1:6666 .在容器内部,它会创建一个到10.123.123.1:6666的连接。 I'd like to block this connection on host through IPTABLES, something like sudo iptables -I OUTPUT -p tcp -d 10.123.123.1 -j DROP , but it doesn't work.我想通过 IPTABLES 阻止主机上的此连接,例如sudo iptables -I OUTPUT -p tcp -d 10.123.123.1 -j DROP ,但它不起作用。 Could anyone help me on this please?有人可以帮我吗?
I can't even see this connection on host by command netstat -an , but I can see it inside the container.我什至无法通过命令netstat -an在主机上看到此连接,但我可以在容器内看到它。
I don't have to use IPTABLES, but I can't change the configuration of the docker running.我不必使用 IPTABLES,但无法更改正在运行的 docker 的配置。
1 个解决方案
解决方案1
0 已采纳 2020-07-06 12:11:48
These packets are going through INPUT & OUTPUT chains in the container's network namespace, and not in the host's network namespace.这些数据包在容器的网络命名空间中通过 INPUT 和 OUTPUT 链,而不是在主机的网络命名空间中。
All your host network namespace does is forward these packets so you need to alter the FORWARD chain with a rule similar to iptables -I FORWARD -p tcp -d 10.123.123.1 -j DROP .您的主机网络命名空间所做的只是转发这些数据包,因此您需要使用类似于iptables -I FORWARD -p tcp -d 10.123.123.1 -j DROP的规则来更改 FORWARD 链。 Bear in mind that Docker alters iptables rules which may punch holes in the firewall.请记住,Docker 会更改 iptables 规则,这可能会在防火墙上打孔。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.