Docker 트래픽 필터링

Question

내가 해냈어! @preserve핵심 단어입니다. 이는 ferm에게 이러한 체인을 그대로 유지하라고 지시합니다. 여기에서 발견https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely

이것이 나의 새로운 구성이다

#vars
@def $WG_PORT = XXX;
@def $TCP_PORTS = (80 443 22);


table filter {

    # keep docker-chains
    chain (DOCKER DOCKER-INGRESS DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD KUBE-FIREWALL DOCKER-USER) @preserve;    

    chain mainRules {
        #allow local and wireguard
        interface (lo wg0 docker0 br+) ACCEPT;
        source 127.0.0.1 ACCEPT;

        #keep connected
        mod conntrack ctstate (ESTABLISHED RELATED) jump ACCEPT;

        #icmp
        proto icmp {
            mod limit limit  10/minute limit-burst 10 ACCEPT;
            DROP;
        }

        # allow wireguard-traffic instant
        proto udp dport ($WG_PORT) ACCEPT;


        # drop any-query for nameserver when udp
        proto udp dport (53) {
            mod string from 40 algo bm hex-string "|0000ff0001|" DROP;
            ACCEPT;
        }

        #tcp
        proto tcp dport ($TCP_PORTS) {

            #prevent syn-flood, but accept other
            syn {
                mod limit limit 10/sec limit-burst 10 jump PREACCEPT;
                DROP;
            }

            jump ACCEPT;
        }
    }


    chain INPUT {
        policy DROP;
        jump mainRules;
    }

    chain OUTPUT {
        policy ACCEPT;
    }

    chain FORWARD {
        policy ACCEPT;
    }
}

table nat {

    chain (DOCKER DOCKER-INGRESS PREROUTING POSTROUTING OUTPUT DOCKER-USER KUBE-POSTROUTING) @preserve;
}

이제 ferm과 docker는 함께 잘 작동합니다.

Answer 1

내가 해냈어! @preserve핵심 단어입니다. 이는 ferm에게 이러한 체인을 그대로 유지하라고 지시합니다. 여기에서 발견https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely

이것이 나의 새로운 구성이다

#vars
@def $WG_PORT = XXX;
@def $TCP_PORTS = (80 443 22);


table filter {

    # keep docker-chains
    chain (DOCKER DOCKER-INGRESS DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD KUBE-FIREWALL DOCKER-USER) @preserve;    

    chain mainRules {
        #allow local and wireguard
        interface (lo wg0 docker0 br+) ACCEPT;
        source 127.0.0.1 ACCEPT;

        #keep connected
        mod conntrack ctstate (ESTABLISHED RELATED) jump ACCEPT;

        #icmp
        proto icmp {
            mod limit limit  10/minute limit-burst 10 ACCEPT;
            DROP;
        }

        # allow wireguard-traffic instant
        proto udp dport ($WG_PORT) ACCEPT;


        # drop any-query for nameserver when udp
        proto udp dport (53) {
            mod string from 40 algo bm hex-string "|0000ff0001|" DROP;
            ACCEPT;
        }

        #tcp
        proto tcp dport ($TCP_PORTS) {

            #prevent syn-flood, but accept other
            syn {
                mod limit limit 10/sec limit-burst 10 jump PREACCEPT;
                DROP;
            }

            jump ACCEPT;
        }
    }


    chain INPUT {
        policy DROP;
        jump mainRules;
    }

    chain OUTPUT {
        policy ACCEPT;
    }

    chain FORWARD {
        policy ACCEPT;
    }
}

table nat {

    chain (DOCKER DOCKER-INGRESS PREROUTING POSTROUTING OUTPUT DOCKER-USER KUBE-POSTROUTING) @preserve;
}

이제 ferm과 docker는 함께 잘 작동합니다.

Docker 트래픽 필터링

답변1

관련 정보