이 페이지의 이전 버전을 보고 있습니다. 현재 버전 보기.

현재와 비교 페이지 이력 보기

« 이전 버전 3 현재 »

주의사항

컨테이너가  소스 IP를 보고 판단해야 하는 경우, iptables를 disable 하지 말 것

(예) NetFlow, sFlow, 네트워크 로그 등을 컨테이너로 수집할 때, 데이터를 발생한 장비의 IP를 기록하기 위해서는 도커의 iptables를 활성화 해야 함

Test

Docker Host (134.75.zzz.250)

# docker run -d --rm --name web-test -p 80:8000 crccheck/hello-world

# ip addr
2: eth0:
    inet 134.75.zzz.250/24 ...
3: docker0:
    inet 172.17.0.1/16 ...
7: veth30acbdc@if6: ...

# docker inspect --format '{{ .NetworkSettings.IPAddress }}' web-test
172.17.0.2

# tcpdump -i any -nn 'port 8000 or port 80'

Web Client (210.107.xx.yy)

# curl http://134.75.zzz.250

iptables enabled (docker default)

iptables FORWARD 체인 → DOCKER-USER 을 통해 패킷이 전달됨.

외부에서 온 패킷의 소스 IP 는 보존된 채 컨테이너에 전달됨.

# tcpdump -i any -nn 'port 8000 or port 80'
16:34:08.561232 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [S], seq 2608725075, win 65535, ... , length 0
16:34:08.561259 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [S], seq 2608725075, win 65535, ... , length 0
16:34:08.561265 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [S], seq 2608725075, win 65535, ... , length 0
16:34:08.561286 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [S.], seq 497713069, ack 2608725076, win 65160, ... , length 0
16:34:08.561288 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [S.], seq 497713069, ack 2608725076, win 65160, ... , length 0
16:34:08.561294 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [S.], seq 497713069, ack 2608725076, win 65160, ... , length 0
16:34:08.562295 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [.], ack 1, win 2051, ... , length 0
16:34:08.562303 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 1, win 2051, ... , length 0
16:34:08.562305 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 1, win 2051, ... , length 0
16:34:08.562384 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [P.], seq 1:78, ack 1, win 2051, ... , length 77
16:34:08.562387 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [P.], seq 1:78, ack 1, win 2051, ... , length 77
16:34:08.562388 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [P.], seq 1:78, ack 1, win 2051, ... , length 77
16:34:08.562442 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [.], ack 78, win 509, ... , length 0
16:34:08.562456 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [.], ack 78, win 509, ... , length 0
16:34:08.562492 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [.], ack 78, win 509, ... , length 0
16:34:08.562971 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:34:08.562973 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:34:08.562980 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:34:08.563001 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439
16:34:08.563002 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439
16:34:08.563006 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439
16:34:08.567560 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [.], ack 212, win 2048, ... , length 0
16:34:08.567569 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 212, win 2048, ... , length 0
16:34:08.567570 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 212, win 2048, ... , length 0
16:34:08.567577 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [.], ack 652, win 2041, ... , length 0
16:34:08.567579 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 652, win 2041, ... , length 0
16:34:08.567580 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [.], ack 652, win 2041, ... , length 0
16:34:08.567909 eth0         In   IP 210.107.xx.yy.64516 > 134.75.zzz.250.80   : Flags [F.], seq 78, ack 652, win 2048, ... , length 0
16:34:08.567911 docker0      Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [F.], seq 78, ack 652, win 2048, ... , length 0
16:34:08.567912 veth0c3a1d7  Out  IP 210.107.xx.yy.64516 > 172.17.0.2.8000     : Flags [F.], seq 78, ack 652, win 2048, ... , length 0
16:34:08.567918 veth0c3a1d7  P    IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [.], ack 79, win 509, ... , length 0
16:34:08.567918 docker0      In   IP 172.17.0.2.8000     > 210.107.xx.yy.64516 : Flags [.], ack 79, win 509, ... , length 0
16:34:08.567924 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.64516 : Flags [.], ack 79, win 509, ... , length 0
^C
33 packets captured
35 packets received by filter
0 packets dropped by kernel

iptables disabled

/etc/docker/daemon.json
{ "iptables": false }

외부에서 온 패킷은 FORWARD 체인을 타지 않으며 NAT 를 통해 전달됨.

소스 IP는 docker0 인터페이스의 IP인 172.17.0.1 으로 바뀌에 전달됨.

# tcpdump -i any -nn 'port 8000 or port 80'
16:43:39.818690 eth0         In   IP 210.107.xx.yy.65282 > 134.75.zzz.250.80   : Flags [S] , seq 773619036, win 65535, ... , length 0
16:43:39.818725 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.65282 : Flags [S.], seq 3116599210, ack 773619037, win 62636, ... , length 0
16:43:39.820786 eth0         In   IP 210.107.xx.yy.65282 > 134.75.zzz.250.80   : Flags [.] , ack 1, win 2051, ... , length 0
16:43:39.822161 docker0      Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [S] , seq 30794580, win 64240, ... , length 0
16:43:39.822162 veth30acbdc  Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [S] , seq 30794580, win 64240, ... , length 0
16:43:39.822175 veth30acbdc  P    IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [S.], seq 2014184389, ack 30794581, win 65160, ... , length 0
16:43:39.822176 docker0      In   IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [S.], seq 2014184389, ack 30794581, win 65160, ... , length 0
16:43:39.822187 docker0      Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [.] , ack 1, win 502, ... , length 0
16:43:39.822188 veth30acbdc  Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [.] , ack 1, win 502, ... , length 0
16:43:39.822498 eth0         In   IP 210.107.xx.yy.65282 > 134.75.zzz.250.80   : Flags [P.], seq 1:78, ack 1, win 2051, ... , length 77
16:43:39.822517 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.65282 : Flags [.] , ack 78, win 489, ... , length 0
16:43:39.822556 docker0      Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [P.], seq 1:78, ack 1, win 502, ... , length 77
16:43:39.822578 veth30acbdc  Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [P.], seq 1:78, ack 1, win 502, ... , length 77
16:43:39.822595 veth30acbdc  P    IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [.] , ack 78, win 509, ... , length 0
16:43:39.822598 docker0      In   IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [.] , ack 78, win 509, ... , length 0
16:43:39.822949 veth30acbdc  P    IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:43:39.822957 docker0      In   IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [P.], seq 1:212, ack 78, win 509, ... , length 211
16:43:39.822982 docker0      Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [.] , ack 212, win 501, ... , length 0
16:43:39.822986 veth30acbdc  Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [.] , ack 212, win 501, ... , length 0
16:43:39.823024 veth30acbdc  P    IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439
16:43:39.823026 docker0      In   IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [F.], seq 212:651, ack 78, win 509, ... , length 439
16:43:39.823030 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.65282 : Flags [P.], seq 1:212, ack 78, win 489, ... , length 211
16:43:39.823045 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.65282 : Flags [P.], seq 212:651, ack 78, win 489, ... , length 439
16:43:39.823057 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.65282 : Flags [F.], seq 651, ack 78, win 489, ... , length 0
16:43:39.827674 eth0         In   IP 210.107.xx.yy.65282 > 134.75.zzz.250.80   : Flags [.] , ack 212, win 2048, ... , length 0
16:43:39.827784 eth0         In   IP 210.107.xx.yy.65282 > 134.75.zzz.250.80   : Flags [.] , ack 652, win 2041, ... , length 0
16:43:39.828173 eth0         In   IP 210.107.xx.yy.65282 > 134.75.zzz.250.80   : Flags [F.], seq 78, ack 652, win 2048, ... , length 0
16:43:39.828179 eth0         Out  IP 134.75.zzz.250.80   > 210.107.xx.yy.65282 : Flags [.] , ack 79, win 489, ... , length 0
16:43:39.828236 docker0      Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [F.], seq 78, ack 652, win 501, ... , length 0
16:43:39.828238 veth30acbdc  Out  IP 172.17.0.1.52220    > 172.17.0.2.8000     : Flags [F.], seq 78, ack 652, win 501, ... , length 0
16:43:39.828254 veth30acbdc  P    IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [.] , ack 79, win 509, ... , length 0
16:43:39.828255 docker0      In   IP 172.17.0.2.8000     > 172.17.0.1.52220    : Flags [.] , ack 79, win 509, ... , length 0
^C
32 packets captured
34 packets received by filter
0 packets dropped by kernel
  • 레이블 없음