Requirements: A private home album system was built using Docker containers, which is limited to access and viewing on the home LAN, because the Docker image is developed by a third-party developer, and I don't know if it will be a security situationGenerate privacy breachesIn order to better solve this problem, we want to add a guarantee of privacy by prohibiting Docker containers from accessing the Internet (external network).
This article uses a CentOS7 system, Docker version: 20.10.20, and uses nginx images to provide tests.
Internet access (extranet) is allowed by default
Create a new nginx container that provides web services that can be accessed by18080 Port access, the container can access the Internet (external network) by default, the command is as follows:
Enter the container and request the resources of this site through the curl command, which can be obtained normally, as shown in the figure below:
Disabling Docker containers from accessing the internet (extranet)
First, we need to create a custom network through docker and create a virtual network card, with the following command:
Set a rule on the virtual NIC through iptables to prohibit access to the Internet with the following command:
Regardless of whether the iptables service is available or not, regardless of whether the firewall is turned on or not,iptables rules added by command take effect immediately!!!
Note: This plan is appropriateIf different containers join the same network, the containers will not be able to communicate with each other!!!!
Look at the DOCKER-USER rule as shown below:
Create a new nginx container again, the container provides the web service, and the18081 The port provides services to the outside world, and the container is prohibited from accessing the Internet (public network), the command is as follows:
We have achieved our goal, but,After restarting the server, the rules we created in iptables will disappearHow can we automatically load our custom rules after the server is restarted?
The iptables-save command is used to export the iptables table in the Linux kernel to a standard output vendor, usually using the I/O redirection function in the shell to save its output to a specified file.
Save the existing iptables rule
Add the restore iptables rule to the boot boot, the boot boot file is /etc/rc.d/rc.local, edit the file, and add the following command at the end:
Finally, add the execution permission with the following command:
After the settings are complete, the iptables rules will still take effect even if the server is restarted.
All containers in Docker are prohibited from accessing the Internet (extranet),Not tested, the command is as follows:
(End)
|
Posted on 2022-12-14 22:53:18
|
|
|
|
Posted on 2022-12-16 21:14:15
|
Landlord|
Posted on 2023-1-2 17:43:19
|
