by Devin Yang
(This article was automatically translated.)

Published - 10 months ago ( Updated - 10 months ago )

First of all, in the Linux environment, Docker uses iptables rules to provide network isolation.
However, in the environment of Docker swarm mode, we cannot identify the connection port under of the host.
At this time, we can customize the rules through the DOCKER-USER chain in iptables.

Docker installs two custom iptables chains named DOCKER-USER and DOCKER, which ensures that incoming packets are always inspected first by these two chains.

All iptables rules for Docker are added to the DOCKER chain. Do not manipulate this chain manually.

If you need to add rules that load before Docker rules,

use the DOCKER-USER chain. These rules are enabled before any rules created automatically by Docker.

For example, my nginx has opened port 8081, which represents the input host's ip, adding port 8081 can access the host.

cyh3692mbacl   dlaravel_web          replicated   4/4        nginx:latest      *:8081->80/tcp

But in fact, I prefer to access the host through HAProyx, instead of opening the host's ip and port 8081 to access it. The solution is to adjust iptables.

We can use the following command to view the previous rules

iptables -nL DOCKER-USER
RETURN     all  --  

Basically it is completely open, we can write a bash as follows, please note that this is just an example, please adjust it according to your own needs.
This example includes different network segments or specific IP and network card.

iptables -F DOCKER-USER
iptables -I DOCKER-USER -p tcp -m multiport --dports 8025,8084,30001,30020 -j DROP
iptables -I DOCKER-USER -i eno1 ! -s -p tcp -m multiport --dports 8080,8081 -j DROP
iptables -I DOCKER-USER -i eno2 ! -s -p tcp -m multiport --dports 3306,2222,1024 -j DROP
iptables -nL DOCKER-USER

At the beginning I cleared all rules first

iptables -F DOCKER-USER

I won't say much about the rest, I believe everyone can guess it.



Tags: docker

Devin Yang

Feel free to ask me, if you don't get it.:)

No Comment

Post your comment

Login is required to leave comments

Similar Stories

docker, api

Introduction to Swagger

The best APIs are built using the Swagger tool, This article introduces how to use docker to execute swagger-ui and editor, let us create a testable API file. In the docker environment, we can easily start the swagger editor and user interface.

docker, d-laravel, docker-compose, laravel

docker-compose loads multiple configuration files

We will use docker --network to establish multiple container interconnections, but if there are four containers, Is it necessary to issue docker run instructions for different containers four times, kill me, This article introduces the establishment of multiple containers at one time through the yaml file definition of docker-compose. Learn how to load multiple configuration files with the dokcer-compose -f parameter.  


Install Docker and docker-compose with Raspberry Pi

This article briefly introduces how we install docker and docker-compose on Raspberry Pi.