버전 비교

이전 버전 1

changes.mady.by.user 장민석(KN)

에 저장

비교대상

새 버전 현재

changes.mady.by.user 장민석(KN)

에 저장

  • 이 줄이 추가되었습니다.
  • 이 줄이 삭제되었습니다.
  • 서식이 변경되었습니다.

목차

주의사항

컨테이너가  소스 IP를 보고 판단해야 하는 경우, iptables를 disable 하지 말 것

(예) NetFlow, sFlow, 네트워크 로그 등을 컨테이너로 수집할 때, 데이터를 발생한 장비의 IP를 기록하기 위해서는 도커의 iptables를 활성화 해야 함

Test Commands

Docker Host (134.75.zzz.250)

코드 블럭
linenumberstrue
# docker run -d --rm --name web-test -p 80:8000 crccheck/hello-world

# tcpdump -i any -nn 'port 8000 or port 80'

Web Client (210.107.xx.yy)

코드 블럭
linenumberstrue
# curl http://134.75.zzz.250

iptables enabled

Source IP is preserved.

...

linenumberstrue

...

ip addr
2: eth0:
    inet 134.75.zzz.250/24 ...
3: docker0:
    inet 172.17.0.1/16 ...
7: veth30acbdc@if6: ...

# docker inspect --format '{{ .NetworkSettings.IPAddress }}' web-test
172.17.0.2

# tcpdump -i any -nn 'port 8000 or port 80'

Web Client (210.107.xx.yy)

코드 블럭
linenumberstrue
# curl http://134.75.zzz.250

iptables enabled (docker default)

iptables FORWARD 체인 → DOCKER-USER 을 통해 패킷이 전달됨.

외부에서 온 패킷의 소스 IP 는 보존된 채 컨테이너에 전달됨.

코드 블럭
linenumberstrue
# tcpdump -i any -nn 'port 8000 or port 80'
16:34:08.561232 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [S], seq 2608725075, win 65535, ... , length 0
16:34:08.561259 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [S], seq 2608725075, win 65535, ... , length 0
16:34:08.561265 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [S], seq 2608725075, win 65535, ... , length 0
16:34:08.561286 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [S.], seq 497713069, ack 2608725076, win 65160, ... , length 0
16:34:08.561288 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [S.], seq 497713069, ack 2608725076, win 65160, ... , length 0
16:34:08.561294 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [S.], seq 497713069, ack 2608725076, win 65160, ... , length 0
16:34:08.562295 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [.], ack 1, win 2051, ... , length 0
16:34:08.562303 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 1, win 2051, ... , length 0
16:34:08.562305 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 1, win 2051, ... , length 0
16:34:08.562384 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [P.], seq 1:78, ack 1, win 2051, ... , length 77
16:34:08.562387 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [P.], seq 1:78, ack 1, win 2051, ... , length 77
16:34:08.562388 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [P.], seq 1:78, ack 1, win 2051, ... , length 77
16:34:08.562442 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [.], ack 78, win 509, ... , length 0
16:34:08.562456 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [.], ack 78, win 509, ... , length 0
16:34:08.562492 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [.], ack 78, win 509, ... , length 0
16:34:08.562971 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:34:08.562973 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:34:08.562980 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:34:08.563001 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439
16:34:08.563002 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439
16:34:08.563006 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439
16:34:08.567560 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [.], ack 212, win 2048, ... , length 0
16:34:08.567569 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 212, win 2048, ... , length 0
16:34:08.567570 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 212, win 2048, ... , length 0
16:34:08.567577 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [.], ack 652, win 2041, ... , length 0
16:34:08.567579 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 652, win 2041, ... , length 0
16:34:08.567580 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 652, win 2041, ... , length 0
16:34:08.567909 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [F.], seq 78, ack 652, win 2048, ... , length 0
16:34:08.567911 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [F.], seq 78, ack 652, win 2048, ... , length 0
16:34:08.567912 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [F.], seq 78, ack 652, win 2048, ... , length 0
16:34:08.567918 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [.], ack 79, win 509, ... , length 0
16:34:08.567918 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [.], ack 79, win 509, ... , length 0
16:34:08.567924 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [.], ack 79, win 509, ... , length 0
^C
33 packets captured
35 packets received by filter
0 packets dropped by kernel

iptables disabled

코드 블럭
languagejs
title/etc/docker/daemon.json
linenumberstrue
{ "iptables": false }

외부에서 온 패킷은 FORWARD 체인을 타지 않으며 NAT 를 통해 전달됨.

소스 IP는 docker0 인터페이스의 IP인 172.17.0.1 으로 바뀌에 전달됨.

코드 블럭
linenumberstrue
# tcpdump -i any -nn 'port 8000 or port 80'
16:43:39.818690 eth0         In .64516 > 134.75.zzz.250.80   : Flags [S], seq 2608725075, win 65535, ... , length 0
16:34:08.561259 docker0      Out  IP 210.107.xx.yy.6451665282 > 172134.1775.0zzz.2250.8000  80   : Flags [S] , seq 2608725075773619036, win 65535, ... , length 0
16:34:08.561265 veth0c3a1d7:43:39.818725 eth0         Out  IP 210134.10775.xxzzz.yy250.6451680   > 172210.17107.0xx.2.8000    yy.65282 : Flags [S.], seq 3116599210, ack 2608725075773619037, win 6553562636, ... , length 0
16:3443:0839.561286820786 veth0c3a1d7eth0  P    IP 172.17.0.2.8000  In   >IP 210.107.xx.yy.64516.65282 > 134.75.zzz.250.80   : Flags [S.], seq 497713069, ack 26087250761, win 651602051, ... , length 0
16:3443:0839.561288822161 docker0      In Out  IP 172.17.0.21.8000 52220    > 210172.10717.xx0.yy.645162.8000     : Flags [S.] , seq 497713069, ack 260872507630794580, win 6516064240, ... , length 0
16:3443:0839.561294 eth0       822162 veth30acbdc  Out  IP 134172.7517.zzz0.2501.8052220    > 210172.10717.xx0.yy.645162.8000     : Flags [S.] , seq 497713069, ack 260872507630794580, win 6516064240, ... , length 0
16:34:08.562295 eth0         In43:39.822175 veth30acbdc  P    IP 210172.10717.xx0.yy.645162.8000     > 134172.7517.zzz0.2501.8052220    : Flags [S.], seq 2014184389, ack 130794581, win 205165160, ... , length 0
16:3443:0839.562303822176 docker0      In   IP  Out172.17.0.2.8000   IP 210.107.xx.yy.64516 > 172.17.0.21.8000 52220    : Flags [S.], seq 2014184389, ack 130794581, win 205165160, ... , length 0
16:3443:08.562305 veth0c3a1d739.822187 docker0      Out  IP 210172.10717.xx0.yy.645161.52220    > 172.17.0.2.8000     : Flags [.] , ack 1, win 2051502, ... , length 0
16:34:08.562384 eth0         In 43:39.822188 veth30acbdc  Out  IP 210172.10717.xx0.yy.645161.52220    > 134172.7517.zzz0.2502.808000     : Flags [P.], seq 1:78, ack 1, win 2051502, ... , / HTTP/1.1length 0
16:3443:08.562387 docker039.822498 eth0         In Out  IP 210.107.xx.yy.6451665282 > 172134.1775.0zzz.2250.8000  80   : Flags [P.], seq 1:78, ack 1, win 2051, ... , length 77
16:3443:08.562388 veth0c3a1d739.822517 eth0         Out  IP 210134.10775.xxzzz.yy250.6451680   > 172210.17107.0xx.2.8000    yy.65282 : Flags [P.], seq 1:78, ack 178, win 2051489, ... , length 770
16:3443:08.562442 veth0c3a1d739.822556 docker0    P  Out  IP 172.17.0.21.8000 52220    > 210172.10717.xx0.yy.645162.8000     : Flags [P.], seq 1:78, ack 781, win 509502, ... , length 077
16:3443:08.562456 docker0      In 39.822578 veth30acbdc  Out  IP 172.17.0.21.8000 52220    > 210172.10717.xx0.yy.645162.8000     : Flags [P.], seq 1:78, ack 781, win 509502, ... , length 077
16:3443:0839.562492822595 eth0veth30acbdc       P  Out  IP 134172.7517.zzz0.2502.808000     > 210172.10717.xx0.yy.645161.52220    : Flags [.] , ack 78, win 509, ... , length 0
16:3443:08.562971 veth0c3a1d739.822598 docker0     P In   IP 172.17.0.2.8000     > 210172.10717.xx0.yy.645161.52220    : Flags [P.], seq 1:212, ack 78, win 509, ... , length 2110
16:3443:0839.562973 docker0   822949 veth30acbdc  P In   IP 172.17.0.2.8000     > 210172.10717.xx0.yy.645161.52220    : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:3443:0839.562980822957 eth0docker0        In Out  IP 134172.7517.zzz0.2502.808000     > 210172.10717.xx0.yy.645161.52220    : Flags [P.], seq 1:212, ack 78, win 509, ... 1.1, 200length OK211
16:3443:08.563001 veth0c3a1d739.822982 docker0    P  Out  IP 172.17.0.21.8000 52220    > 210172.10717.xx0.yy.645162.8000     : Flags [F.], seq 212:651, ack 78212, win 509501, ... , length 4390
16:3443:0839.563002822986 veth30acbdc docker0 Out  IP 172.17.0.1.52220  In   IP> 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [F.], seq 212:651, ack 78212, win 509501, ... , length 4390
16:3443:0839.563006823024 eth0veth30acbdc       P  Out  IP 134172.7517.zzz0.2502.808000     > 210172.10717.xx0.yy.645161.52220    : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439: HTTP
16:3443:0839.567560 eth0   823026 docker0      In   IP 210172.10717.xx0.yy.645162.8000     > 134172.7517.zzz0.2501.8052220    : Flags [F.], seq 212:651, ack 21278, win 2048509, ... , length 0439
16:3443:08.567569 docker039.823030 eth0         Out  IP 210134.10775.xxzzz.yy250.6451680   > 172210.17107.0xx.2.8000    yy.65282 : Flags [P.], seq 1:212, ack 21278, win 2048489, ... , length 0211
16:3443:08.567570 veth0c3a1d739.823045 eth0         Out  IP 210134.10775.xxzzz.yy250.6451680   > 172210.17107.0xx.2.8000    yy.65282 : Flags [P.], seq 212:651, ack 21278, win 2048489, ... , length 0439
16:3443:0839.567577823057 eth0         In Out  IP 210134.10775.xxzzz.yy250.6451680   > 134210.75107.zzzxx.250yy.80  65282 : Flags [F.], seq 651, ack 65278, win 2041489, ... , length 0
16:3443:08.567579 docker039.827674 eth0         In Out  IP 210.107.xx.yy.6451665282 > 172134.1775.0zzz.2250.8000  80   : Flags [.] , ack 652212, win 20412048, ... , length 0
16:34:08.567580 veth0c3a1d7  Out:43:39.827784 eth0         In   IP 210.107.xx.yy.6451665282 > 172134.1775.0zzz.2250.8000  80   : Flags [.] , ack 652, win 2041, ... , length 0
16:3443:0839.567909828173 eth0         In   IP 210.107.xx.yy.6451665282 > 134.75.zzz.250.80   : Flags [F.], seq 78, ack 652, win 2048, ... , length 0
16:3443:08.567911 docker039.828179 eth0         Out  IP 210134.10775.xxzzz.yy250.6451680   > 172210.17107.0xx.2.8000    yy.65282 : Flags [F.], seq 78, ack 65279, win 2048489, ... , length 0
16:3443:08.567912 veth0c3a1d739.828236 docker0      Out  IP 210172.10717.xx0.yy.645161.52220    > 172.17.0.2.8000     : Flags [F.], seq 78, ack 652, win 2048501, ... , length 0
16:3443:08.567918 veth0c3a1d7  P39.828238 veth30acbdc  Out  IP 172.17.0.1.52220     IP> 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [F.], seq 78, ack 79652, win 509501, ... , length 0
16:3443:0839.567918828254 docker0veth30acbdc     P In   IP 172.17.0.2.8000     > 210172.10717.xx0.yy.645161.52220    : Flags [.] , ack 79, win 509, ... , length 0
16:3443:08.567924 eth0  39.828255 docker0      In Out  IP 134172.7517.zzz0.2502.808000     > 210172.10717.xx0.yy.645161.52220    : Flags [.] , ack 79, win 509, ... , length 0
^C
3332 packets captured
3534 packets received by filter
0 packets dropped by kernel

iptables disabled

코드 블럭
languagejs
title/etc/docker/daemon.json
{ "iptables": false }