Docker 공식문서 방화벽 가이드

iptables 의 DOCKER-USER 체인에 방화벽 규칙을 추가할 것

https://docs.docker.com/network/packet-filtering-firewalls/


Firewalld 설정 방법

/etc/firewalld/direct.xml 에 iptables 규칙을 직접 추가

before

# iptables -L DOCKER-USER
Chain DOCKER-USER (1 references)
target  prot  opt  source    destination
RETURN  all   --   anywhere  anywhere

direct.xml

/etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <chain ipv="ipv4" table="filter" chain="DOCKER-USER"/>
  <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 127.0.0.0/8</rule>
  <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 172.16.0.0/12</rule>
  <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 111.222.111.0/24</rule>
  <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="10">-j REJECT</rule>
</direct>
vi /etc/firewalld/direct.xml
systemctl stop docker
firewall-cmd --reload
systemctl start docker

after

# iptables -L DOCKER-USER
Chain DOCKER-USER (1 references)
target  prot  opt  source            destination
ACCEPT  all   --   anywhere          anywhere     ctstate RELATED,ESTABLISHED
RETURN  all   --   127.0.0.0/8       anywhere
RETURN  all   --   172.16.0.0/12     anywhere
RETURN  all   --   111.222.111.0/24  anywhere
REJECT  all   --   anywhere          anywhere
RETURN  all   --   anywhere          anywhere


Ref

https://github.com/firewalld/firewalld/issues/869#issuecomment-1492784514

  • No labels