Ubuntu - 主机上的防火墙规则 MySQL | Docker 容器到主机
[英]Ubuntu - firewall rules MySQL on host | Docker containers to host
问题描述
Is there any possible way to setup the host firewall to allow connections only for the network Docker containers uses?
是否有任何可能的方法来设置主机防火墙以仅允许 Docker 容器使用的网络连接?
Intro介绍
The only way I was able to connect to a OS hosted MySQL instance from my new Docker containers was by opening to ports:我能够从我的新 Docker 容器连接到操作系统托管的 MySQL 实例的唯一方法是打开端口:
sudo ufw allow 3310
Inside the Docker container I am then able to connect using:在 Docker 容器内,我可以使用以下方式进行连接:
(Docker container): mysql -u testuser -p -h 172.100.0.1 -P 3310
However this way the port is open to the internet as well, I would rather use SSH to connect using credentials.但是这种方式端口也对互联网开放,我宁愿使用 SSH 使用凭据进行连接。
NOTE: MySQL bind-address=0.0.0.0 is set注意: MySQL bind-address=0.0.0.0 已设置
Information信息
- On Host:在主机上:
NOTE: Showing only applicable Docker network information - my containers use a custom named network (d-custom-network)注意:仅显示适用的 Docker 网络信息 - 我的容器使用自定义命名网络 (d-custom-network)
ifconfig
d-custom-network: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.100.0.1 netmask 255.255.0.0 broadcast 172.100.255.255
inet6 fe80::42:b8ff:fe7f:c4bf prefixlen 64 scopeid 0x20<link>
ether 02:42:b8:7f:c4:bf txqueuelen 0 (Ethernet)
RX packets 473 bytes 34668 (34.6 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 403 bytes 119797 (119.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:13ff:fefc:301f prefixlen 64 scopeid 0x20<link>
ether 02:42:13:fc:30:1f txqueuelen 0 (Ethernet)
RX packets 28509 bytes 1593290 (1.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 33351 bytes 173437123 (173.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Inside container:
内部容器:ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 69: eth0@if70: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:64:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.100.0.4/16 brd 172.100.255.255 scope global eth0 valid_lft forever preferred_lft foreverDocker network information:
Docker网络信息:docker network ls 8a35ff6a0a88 bridge bridge local 572f80997782 magento2-network-frontend bridge local 4590216456c0 host host local a79a85d3a426 none null localDocker network inspect: Partial content:
Docker网检:部分内容:docker network inspect magento2-network-frontend [ { "Name": "glo-magento2.3-network-frontend", "Id": "572f809977826942d1b582c17f2ac67f25f4221ddfe5a2f504ccb12a3aa6c786", "Created": "2020-08-11T12:05:51.988694032Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.100.0.0/16" } ] },
Partial iptables listing (Docker destinations) -: I noticed these connection information when connecting from inside the container when trying to connect in MySQL testing with a failed login部分 iptables 列表(Docker 目标)-:我在尝试在 MySQL测试中尝试连接时从容器内部连接时注意到这些连接信息,但登录失败
FROM Within container:
ERROR 1045 (28000): Access denied for user 'testuser'@'cpe-172-100-0-4.twcny.res.rr.com'
ping cpe-172-100-0-4.twcny.res.rr.com
PING cpe-172-100-0-4.twcny.res.rr.com (172.100.0.4) 56(84) bytes of data.
64 bytes from 54195d3486eb (172.100.0.4): icmp_seq=1 ttl=64 time=0.063 ms
iptables -L
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere cpe-172-100-0-2.twcny.res.rr.com tcp dpt:6082
ACCEPT tcp -- anywhere cpe-172-100-0-2.twcny.res.rr.com tcp dpt:6081
ACCEPT tcp -- anywhere cpe-172-100-0-3.twcny.res.rr.com tcp dpt:6379
ACCEPT tcp -- anywhere cpe-172-100-0-4.twcny.res.rr.com tcp dpt:http-alt
ACCEPT tcp -- anywhere cpe-172-100-0-5.twcny.res.rr.com tcp dpt:https
ACCEPT tcp -- anywhere cpe-172-100-0-5.twcny.res.rr.com tcp dpt:http
What I tried我试过的
I thought I would be able to use the method mentioned here: This is also why I investigated how to make sure the docker network name used by host (ie. ifconfig output) , in my example I created d-custom-network我以为我可以使用这里提到的方法:这也是我研究如何确保主机使用的 docker 网络名称(即 ifconfig 输出)的原因,在我的示例中,我创建了d-custom-network
To allow access on a specific port let's say port 3360 only to specific network interface eth2, then you need to specify allow in on and the name of the network interface:
$ sudo ufw allow in on eth2 to any port 3306
$ sudo ufw reload
So I tried sudo ufw allow in on d-custom-network to any port 3310所以我sudo ufw allow in on d-custom-network to any port 3310
That is when I noticed the docker cpe-172-100-0-2.twcny.res.rr.com output when trying to force a failed login for testing the location I connect from.那是当我注意到 docker cpe-172-100-0-2.twcny.res.rr.com output 尝试从测试登录失败的位置时连接
I do not think I understood the usage correctly, and assumed that I could use the internal network 172.100.0.* where my docker containers connect to/from.我认为我没有正确理解用法,并假设我可以使用我的 docker 容器连接到/从的内部网络172.100.0.* 。
How would I go about this?我将如何 go 关于这个?
1 个解决方案
解决方案1
1 已采纳 2021-03-21 03:01:47
I had the same question, and the following worked for me (all commands run on the host):我有同样的问题,以下对我有用(所有命令都在主机上运行):
Identify which network your container is attached to:
确定您的容器连接到哪个网络:$ docker inspect mycontainer... "Networks": { "bridge": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "b8ecee4683b22db9154f8c3e56b48f371b2bdf663f25d092112fc7eb410a4816", "EndpointID": "56cd2b50116f92d49c643457059a0ef0350e14509a16d1b615f806bb62eb4ad5", ... } }...My container
mycontaineris attached to the network namedbridge:我的容器mycontainer连接到名为bridge的网络:$ docker network ls NETWORK ID NAME DRIVER SCOPE b8ecee4683b2 bridge bridge local f9a4ecf5db2b host host local cc168ad8f868 none null localIdentify which of the host's network interfaces corresponds to the
bridgenetwork:识别主机的哪个网络接口对应于bridge网络:$ docker network inspect bridge... "Options": {... "com.docker.network.bridge.name": "docker0", ... }, ...My network
bridgecorresponds to host network interfacedocker0:我的bridge对应于主机网络接口docker0:$ ip addr... 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c8:b4:a4:ba brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:c8ff:feb4:a4ba/64 scope link valid_lft forever preferred_lft forever...Allow traffic from the identified host network interface
docker0, to port 3310 anywhere:允许从识别的主机网络接口docker0到任何地方的端口 3310 的流量:$ sudo ufw allow in on docker0 to any port 3310
I tested it, and the database port on the host is now:我测试了一下,现在主机上的数据库端口是:
- accessible when connecting from inside the docker container, and从 docker 容器内部连接时可访问,并且
- filtered by the firewall when trying to connect from the network outside the host.尝试从主机外部的网络连接时被防火墙过滤。
Also, since we're talking about securing a docker host with UFW, I feel it's important to mention this side note/warning about using UFW with docker, in case you're not already aware: See this discussion for details, in summary, Docker by default may override UFW's firewall rules in ways that a typical user may not be expecting.此外,由于我们正在讨论使用 UFW 保护 docker 主机,因此我觉得重要的是要提及有关将 UFW 与 docker 一起使用的此边注/警告,以防您尚未意识到:请参阅此讨论以了解详细信息,总结,默认情况下,Docker 可能会以普通用户可能不期望的方式覆盖 UFW 的防火墙规则。 In particular, I think that exposing a port on a container via docker -p actually punches a hole in your firewall on that port, which UFW does not see or control.特别是,我认为通过docker -p暴露容器上的端口实际上会在该端口上的防火墙上打一个洞,UFW 看不到或控制这个洞。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.