Docker 공식문서 방화벽 가이드
iptables 의 DOCKER-USER 체인에 방화벽 규칙을 추가할 것
https://docs.docker.com/network/packet-filtering-firewalls/
Firewalld 설정 방법
/etc/firewalld/direct.xml 에 iptables 규칙을 직접 추가
before
# iptables -L DOCKER-USER Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere
direct.xml
/etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?> <direct> <chain ipv="ipv4" table="filter" chain="DOCKER-USER"/> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 127.0.0.0/8</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 172.16.0.0/12</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 111.222.111.0/24</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="10">-j REJECT</rule> </direct>
vi /etc/firewalld/direct.xml systemctl stop docker firewall-cmd --reload systemctl start docker
after
# iptables -L DOCKER-USER Chain DOCKER-USER (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED RETURN all -- 127.0.0.0/8 anywhere RETURN all -- 172.16.0.0/12 anywhere RETURN all -- 111.222.111.0/24 anywhere REJECT all -- anywhere anywhere RETURN all -- anywhere anywhere
Ref
https://github.com/firewalld/firewalld/issues/869#issuecomment-1492784514