Docker 공식문서 방화벽 가이드
iptables 의 DOCKER-USER 체인에 방화벽 규칙을 추가할 것
https://docs.docker.com/network/packet-filtering-firewalls/
UFW 설정방법
https://docs.docker.com/network/packet-filtering-firewalls/ 에는
Docker 와 UFW 가 iptables 를 호환되지 않게 설정한다고 쓰여있다.
Docker and ufw use iptables in ways that make them incompatible with each other.
DOCKER-USER 체인에 UFW 방화벽 규칙( ufw-user-input )을 추가 하면 방화벽을 설정할 수 있다.
Check NIC
| 코드 블럭 |
|---|
# lshw -short -c net
H/W path Device Class Description
==============================================================
/0/100/2/0 network Virtio network device
/0/100/2/0/0 enp1s0 network Ethernet interface |
Change Systemd
to run firewall before docker service
| /lib/systemd/system/ufw.service |
|---|
| before | after |
|---|
| 코드 블럭 |
|---|
Before=network-pre.target |
| | 코드 블럭 |
|---|
Before=network-pre.target docker.service |
|
Add UFW rule for firewall
| /etc/ufw/after.rules |
|---|
| before | after |
|---|
| 코드 블럭 |
|---|
# don't delete the 'COMMIT' ...
COMMIT |
| | 코드 블럭 |
|---|
# put docker behind ufw
:DOCKER-USER - [0:0]
:ufw-user-input - [0:0]
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate INVALID -j DROP
-A DOCKER-USER -i enp1s0 -j ufw-user-input
-A DOCKER-USER -i enp1s0 -j DROP
# don't delete the 'COMMIT' ...
COMMIT |
|
Reboot
| 코드 블럭 |
|---|
# ufw enable
# reboot |
Check
| 코드 블럭 |
|---|
# ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW 111.222.111.0/24
# iptables -L -v -x
Chain INPUT (policy DROP 7 packets, 288 bytes)
pkts bytes target prot opt in out source destination
248 27238 ufw-before-logging-input all -- any any anywhere anywhere
248 27238 ufw-before-input all -- any any anywhere anywhere
38 8139 ufw-after-input all -- any any anywhere anywhere
15 896 ufw-after-logging-input all -- any any anywhere anywhere
15 896 ufw-reject-input all -- any any anywhere anywhere
15 896 ufw-track-input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
...
Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
...
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ufw-user-input all -- enp1s0 any anywhere anywhere
0 0 DROP all -- enp1s0 any anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
...
Chain ufw-user-input (2 references)
pkts bytes target prot opt in out source destination
1 64 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any 111.222.111.0/24 anywhere tcp dpt:http |
...