iptables 의 DOCKER-USER 체인에 방화벽 규칙을 추가할 것
https://docs.docker.com/network/packet-filtering-firewalls/
/etc/firewalld/direct.xml 에 iptables 규칙을 직접 추가
# iptables -L DOCKER-USER Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere |
<?xml version="1.0" encoding="utf-8"?> <direct> <chain ipv="ipv4" table="filter" chain="DOCKER-USER"/> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 127.0.0.0/8</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 172.16.0.0/12</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="1"> -j RETURN -s 111.222.111.0/24</rule> <rule ipv="ipv4" table="filter" chain="DOCKER-USER" priority="10">-j REJECT</rule> </direct> |
vi /etc/firewalld/direct.xml systemctl stop docker firewall-cmd --reload systemctl start docker |
# iptables -L DOCKER-USER Chain DOCKER-USER (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED RETURN all -- 127.0.0.0/8 anywhere RETURN all -- 172.16.0.0/12 anywhere RETURN all -- 111.222.111.0/24 anywhere REJECT all -- anywhere anywhere RETURN all -- anywhere anywhere |
https://github.com/firewalld/firewalld/issues/869#issuecomment-1492784514