%20%EC%84%9C%EB%B2%84%EC%97%90%20%EB%8C%80%ED%95%9C%20%EB%A1%9C%EA%B7%B8%EC%9D%B8%20%EC%8B%9C%EB%8F%84%EB%A5%BC%20%EA%B8%88%EC%A7%80%ED%95%98%EB%8A%94%20%EB%8D%B0%202%EB%B2%88%20%EC%8B%A4%ED%8C%A8%ED%96%88%EC%8A%B5%EB%8B%88%EB%8B%A4..png)
다음과 같이 호스트/도커 설정에 문제가 있습니다. 호스트는 볼륨에 매핑된 도커 컨테이너의 mail.log 파일에 액세스하는 실패2반을 실행합니다. 다 괜찮아요. 나는 Jail.local을 정의했습니다.
[postfix-sasl]
enabled = true
port = smtpd
filter = postfix-sasl
logpath = /var/lib/docker/volumes/smtp2/_data/mail.log
bantime = 604800
maxretry = 5
action = docker-action
필터 postfix-sasl.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
_port = (?::\d+)?
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
[Init]
journalmatch = _SYSTEMD_UNIT=postfix.service
그리고 docker-action.conf의 작업
[Definition]
actionstart =
actionstop =
actioncheck = iptables -n -L FORWARD | grep -q 'DOCKER[ \t]'
actionban = iptables -I DOCKER 1 -s <ip> -j DROP
actionunban = iptables -D DOCKER -s <ip> -j DROP
모든 것이 잘 작동하는 것 같습니다.
2018-08-14 16:51:24,048 fail2ban.actions [26209]: WARNING [postfix-sasl] 181.214.206.133 already banned
원하는 대로 iptables -S에 다음 항목을 추가했습니다.
-A DOCKER -s 181.214.206.133/32 -j DROP
하지만 내 컨테이너에는 모든 시도가 여전히 이렇게 들어옵니다.
Aug 14 17:34:28 smtp2 postfix/smtpd[16114]: warning: unknown[181.214.206.133]: SASL LOGIN authentication failed: authentication failure
Aug 14 17:34:29 smtp2 postfix/smtpd[16114]: disconnect from unknown[181.214.206.133] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Aug 14 17:34:52 smtp2 postfix/smtpd[16114]: connect from unknown[181.214.206.133]
iptables -S의 출력
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N DOCKER-USER
-N f2bd-postfix-sasl
-N fail2ban-postfix
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-loggireject-input
-A INPUT -j ufw-track-input
-A FORWARD -p tcp -m multiport --dports 25 -j fail2ban-postfix
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -s 69.10.48.187/32 -j DROP
-A DOCKER -s 181.214.206.133/32 -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
iptables -vnL FORWARD 출력 |
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate ELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
이러한 요청이 여전히 도커 컨테이너로 전달되는 이유를 설명해 줄 수 있는 사람이 있나요? 내가 뭐 놓친 거 없니?
답변1
귀하의 DOCKER체인은 에서만 호출됩니다 FORWARD. 숫자 0에서 알 수 있듯이 규칙에 도달하지 않았습니다. 또한 DOCKER에서 해당 체인을 호출 해 보세요 INPUT.