无法通过 iptables ( Docker ) 阻止端口 21和 5222?

分享于 

5分钟阅读

互联网

  繁體

问题:

我试图在Ubuntu VM上仅打开端口80、443和SSH。 我正在运行 Docker,这是导致端口 21和 5222可见的原因。


telnet HOST 21


Trying HOST...


Connected to HOST.


Escape character is '^]'.



sudo iptables --list --line-numbers -v


Chain INPUT (policy DROP 23 packets, 1878 bytes)


num pkts bytes target prot opt in out source destination 


1 2013 350K ACCEPT all -- lo any anywhere anywhere 


2 1063 614K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED


3 0 0 DROP all -- any any anywhere anywhere ctstate INVALID


4 1 60 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED


5 28 1644 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https ctstate NEW,ESTABLISHED



Chain FORWARD (policy DROP 0 packets, 0 bytes)


num pkts bytes target prot opt in out source destination 


1 0 0 DOCKER-USER all -- any any anywhere anywhere 



Chain OUTPUT (policy ACCEPT 43 packets, 3082 bytes)


num pkts bytes target prot opt in out source destination 


1 2013 350K ACCEPT all -- any lo anywhere anywhere 


2 816 236K ACCEPT all -- any any anywhere anywhere ctstate ESTABLISHED


3 0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:ssh ctstate ESTABLISHED


4 0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports http,https ctstate ESTABLISHED



Chain DOCKER-USER (1 references)


num pkts bytes target prot opt in out source destination 


1 0 0 RETURN all -- any any anywhere anywhere 



sudo iptables保存


# Generated by iptables-save v1.6.1 on Sun Mar 3 05:57:34 2019


*nat


:PREROUTING ACCEPT [286:14463]


:INPUT ACCEPT [29:1704]


:OUTPUT ACCEPT [273:16843]


:POSTROUTING ACCEPT [273:16843]


:DOCKER - [0:0]


COMMIT


# Completed on Sun Mar 3 05:57:34 2019


# Generated by iptables-save v1.6.1 on Sun Mar 3 05:57:34 2019


*filter


:INPUT DROP [23:1878]


:FORWARD DROP [0:0]


:OUTPUT ACCEPT [43:3082]


:DOCKER-USER - [0:0]


-A INPUT -i lo -j ACCEPT


-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


-A INPUT -m conntrack --ctstate INVALID -j DROP


-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


-A FORWARD -j DOCKER-USER


-A OUTPUT -o lo -j ACCEPT


-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT


-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT


-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT


-A DOCKER-USER -j RETURN


COMMIT


# Completed on Sun Mar 3 05:57:34 2019


# Generated by iptables-save v1.6.1 on Sun Mar 3 05:57:34 2019


*mangle


:PREROUTING ACCEPT [3829:1086443]


:INPUT ACCEPT [3617:1077407]


:FORWARD ACCEPT [0:0]


:OUTPUT ACCEPT [3380:702245]


:POSTROUTING ACCEPT [3380:702245]


COMMIT


# Completed on Sun Mar 3 05:57:34 2019




回答 1:

关于你的转发规则:

你只有一个跳到docker用户。 docker用户没有执行任何操作,然后返回前一步。 转发默认策略为 DROP 。

如果某个进程正在侦听 21端口,则可以开始进行以下操作:


ss -antp | grep :21



然后,你可以尝试监视通过规则的数据包:


watch iptables -L -n -v



根据规则集,你应该增加默认的输入策略:


Chain INPUT (policy DROP 23 packets, 1878 bytes)



你可以使用 dig 或者 nslookup 解析主机的DNS,并查看它与服务器上的ip a 是否相同?

回答 2:

Docker 站点所描述的:

如果需要在 Docker 规则之前添加加载规则,请将它们添加到docker用户链。 这些规则在 Docker 自动创建规则之前加载。

默认情况下,允许所有外部源ip连接到 Docker 守护进程。

所以,你写的规则必须添加到docker用户链



DOC  Docker  DOCK  CAN  Block  Iptables