The use of iptabels is required in the Docker Swarm environment

by Devin Yang
(This article was automatically translated.)

Published - 2 years ago ( Updated - 2 years ago )

First of all, in the Linux environment, Docker uses iptables rules to provide network isolation.
However, in the environment of Docker swarm mode, we cannot identify the connection port under 127.0.0.1 of the host.
At this time, we can customize the rules through the DOCKER-USER chain in iptables.

Docker installs two custom iptables chains named DOCKER-USER and DOCKER, which ensures that incoming packets are always inspected first by these two chains.

All iptables rules for Docker are added to the DOCKER chain. Do not manipulate this chain manually.

If you need to add rules that load before Docker rules,

use the DOCKER-USER chain. These rules are enabled before any rules created automatically by Docker.

For example, my nginx has opened port 8081, which represents the input host's ip, adding port 8081 can access the host. 

cyh3692mbacl   dlaravel_web          replicated   4/4        nginx:latest      *:8081->80/tcp

But in fact, I prefer to access the host through HAProyx, instead of opening the host's ip and port 8081 to access it. The solution is to adjust iptables.

We can use the following command to view the previous rules

iptables -nL DOCKER-USER
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Basically it is completely open, we can write a bash as follows, please note that this is just an example, please adjust it according to your own needs.
This example includes different network segments or specific IP and network card. 

#!/bin/bash
iptables -F DOCKER-USER
#全檔只能用本機的ip存取
iptables -I DOCKER-USER -p tcp -m multiport --dports 8025,8084,30001,30020 -j DROP
#鎖區網在可以連
iptables -I DOCKER-USER -i eno1 ! -s 10.0.0.26 -p tcp -m multiport --dports 8080,8081 -j DROP
iptables -I DOCKER-USER -i eno2 ! -s 192.168.88.0/24 -p tcp -m multiport --dports 3306,2222,1024 -j DROP
iptables -A DOCKER-USER -j RETURN
#列出規則
iptables -nL DOCKER-USER

At the beginning I cleared all rules first

iptables -F DOCKER-USER

I won't say much about the rest, I believe everyone can guess it.

 

 

Tags: docker

Devin Yang

Feel free to ask me, if you don't get it.:)

Follow

No Comment

Post your comment

Login is required to leave comments

Similar Stories


城堡
d-laravel, docker, laravel, docker-compose

D-Laravel v1.0.0 release change description

In order to allow the container to be used more flexibly, D-Laravel has released version v1.0.0, which is not backward compatible. https://github.com/DevinY/dlaravel/releases/tag/v1.0.0 If you are using before v1.0.0, you need to modify the .env file of the Laravel project, change DB_HOST=127.0.0.1 to DB_HOST=db If you have a custom docker-compose-custom.yml file....more

城堡
docker

Docker antivirus strategy

I just watched Story of Yanxi Palace recently, so I wanted to introduce a MacOS anti-drug strategy. This article teaches you how to use Docker to clean MacOS. Briefly introduce how we use anti-virus software to scan viruses through docker. It is assumed that my current directory is in my home directory, so ${PWD} is the current directory and will be mounted to the scan folder in the container. Therefore, when you use clamscan -r /scan/, you can scan all the files. Adding the -r parameter will use the recursive method to enter the subdirectory layer by layer to scan.

城堡
laravel,docker

How to customize Laravel pagination

Recently, I have been free, and I want to adjust the arrows on the upper and lower pages of the website. If you don’t know how to customize Laravel’s pagination, You can take a look at a short three-minute introduction on how I customize Laravel's pagination.