文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >如何防止iptable中的远程访问

如何防止iptable中的远程访问
EN

Server Fault用户
提问于 2021-09-02 01:07:36
回答 1查看 221关注 0票数 2

我已经用docker-compose设置了iptables,但是我只想要的ip地址的白名单似乎没有工作,因为服务器仍然在进行远程访问尝试:

代码语言:javascript
复制
Connection matched pg_hba.conf line 95: "host all all all md5"
2021-09-01 21:36:42.132 UTC [8821] FATAL:  password authentication failed for user "postgres"
2021-09-01 21:36:42.132 UTC [8821] DETAIL:  Role "postgres" does not exist.

如何将我的iptable修复为正确设置?我在这里做错了什么?

代码语言:javascript
复制
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT (where x is removed ip addresses)
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -j DOCKER
-A FORWARD -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -i br-1de8a78b46b8 -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -m iprange --src-range 82.208.14.110-82.208.14.119 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.18.0.2/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 2368 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5900 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 4444 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9300 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1de8a78b46b8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

编辑:

下面是我的配置:

代码语言:javascript
复制
  postgres:
    image: "postgres:12.1"
    env_file:
      - '.env'
    ports:
      - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - postgres:/var/lib/postgresql/data
      - /opt/ghost_postgres:/var/lib/postgres
    networks: 
      - esnet

  redis:
    image: redis:5.0.6-alpine
    command: redis-server --requirepass "${REDIS_PASS}"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    ports:
      - '6379:6379'
    volumes:
      - redis:/var/lib/redis/data
    networks: 
      - esnet


  prosebit:
    build: 
      context: "."
      args:
        - "FLASK_ENV=${FLASK_ENV:-production}"
        - "NODE_ENV=${NODE_ENV:-production}"
    depends_on:
      - "postgres"
      - "redis"
    env_file:
      - ".env"
    ports:
      - "${DOCKER_WEB_PORT:-127.0.0.1:8000}:8000"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
    networks:
      - esnet
      
  web: 
    depends_on:
      - prosebit
    restart: always
    build:
      context: ../nginx #added /deploy for development, remove for production
      dockerfile: Dockerfile
    volumes:
      ...
    ports:
      - 80:80
      - 443:443
    networks:
      - "esnet"


  celery:
    build: 
      context: "."
      args: 
        - "FLASK_ENV=${FLASK_ENV:-production}"
        - "NODE_ENV=${NODE_ENV:-production}"
    command: celery worker -B -l info -A 
    env_file:
      - '.env'
    depends_on:
      - "postgres"
      - "redis"
    env_file:
      - ".env"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
    networks:
      - "esnet"
iptables
firewall
EN

回答 1

Server Fault用户

回答已采纳

发布于 2021-09-03 02:25:48

Docker在防火墙本身中打开端口,因为您的docker-come.yml显式请求端口5432向世界公开。

代码语言:javascript
复制
    ports:
      - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

现在还不清楚这是为什么会出现在这里,以任何形式。请记住,同一个network中的服务可以始终相互访问,而不需要指定ports。仅指定ports以允许从外部访问。

PS:你也把你的红色容器暴露给了世界,这可能也不是你想要的。

票数 2
EN
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://serverfault.com/questions/1076367

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档