Ubuntu / UFW:如何告诉Docker不要暴露所有端口?

时间:2022-03-08 14:28:01

I'm really struggling here and googled a lot... no solution worked so far.

我真的在这里苦苦挣扎,google了很多...到目前为止还没有解决方案。

I'm running several docker containers (nodejs, mongodb,...) on my Ubuntu machine. Unfortunately, Docker (v1.6) exposes all ports to public! Since I have an nginx reverse proxy (also in a docker container), I only want port 80 to be accessible from outside - UFW does not work in this case, since Docker operates on iptables.

我在我的Ubuntu机器上运行了几个docker容器(nodejs,mongodb,...)。不幸的是,Docker(v1.6)将所有端口暴露给公众!由于我有一个nginx反向代理(也在docker容器中),我只希望从外部访问端口80 - 在这种情况下UFW不起作用,因为Docker在iptables上运行。

So I tried the following suggestions:

所以我尝试了以下建议:

  1. Changed DOCKER_OPTS to the following (and restarted docker service):

    将DOCKER_OPTS更改为以下(并重新启动的docker服务):

    DOCKER_OPTS="--ip 127.0.0.1 --iptables=false"
    
  2. Added the following rules to my iptables (for nodejs port 3001)

    在我的iptables中添加了以下规则(对于nodejs端口3001)

    iptables -I PREROUTING 1 -t mangle ! -s 127.0.0.1 -p tcp --dport 3001 -j ACCEPT
    iptables -I PREROUTING 2 -t mangle -p tcp --dport 3001 -j DROP
    

=> both changes do not work?

=>两个变化都不起作用?

Are there any other suggestions that might help here?

还有其他建议可能有帮助吗?

In short: I only want port 80 (nginx docker container) to be exposed to public... all other (e.g. 3001) should be rejected when not accessed from localhost!

简而言之:我只希望将端口80(nginx docker容器)暴露给公共...当不从localhost访问时,所有其他(例如3001)应该被拒绝!

UPDATE:

I forgot to mention that I start the containers with "-p 3001:3000" (e.g. for the nodejs app).

我忘了提到我用“-p 3001:3000”启动容器(例如对于nodejs应用程序)。

I don't want this port (3001) to be accessible from the web... but only from other containers or the docker host system).

我不希望从Web访问此端口(3001)...但只能从其他容器或docker主机系统访问。

Thank you very much in advance.

非常感谢你提前。

Greetz,

Sascha

1 个解决方案

#1


Just drop the -p from your docker run command line.

只需从docker run命令行中删除-p即可。

Container ports will, by default, be available to other containers running on your system without using -p. You just need to know the ip address of the target container. For example, if I start a web server:

默认情况下,容器端口可用于系统上运行的其他容器,而不使用-p。您只需要知道目标容器的IP地址。例如,如果我启动Web服务器:

$ docker run --name web -d larsks/mini-httpd

And get the ip address:

并获取IP地址:

$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' web
172.17.0.3

Then from the host or any other container I can run something like:

然后从主机或任何其他容器我可以运行如下:

# curl http://172.17.0.3/

I can also use container linking if I don't want to muck around with ip addresses. For example, if the web container above is already running, I can link it to a new container:

如果我不想使用ip地址,我也可以使用容器链接。例如,如果上面的Web容器已经运行,我可以将它链接到一个新容器:

$ docker run --link web:web -it alpine sh

And then access it by name:

然后按名称访问它:

/ # wget -O- http://web/
<pre>
 ___ _    __        __         _          
|_ _| |_  \ \      / /__  _ __| | _____   
 | || __|  \ \ /\ / / _ \| '__| |/ / __|  
 | || |_    \ V  V / (_) | |  |   <\__ \_ 
|___|\__|    \_/\_/ \___/|_|  |_|\_\___(_)

</pre>

#1


Just drop the -p from your docker run command line.

只需从docker run命令行中删除-p即可。

Container ports will, by default, be available to other containers running on your system without using -p. You just need to know the ip address of the target container. For example, if I start a web server:

默认情况下,容器端口可用于系统上运行的其他容器,而不使用-p。您只需要知道目标容器的IP地址。例如,如果我启动Web服务器:

$ docker run --name web -d larsks/mini-httpd

And get the ip address:

并获取IP地址:

$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' web
172.17.0.3

Then from the host or any other container I can run something like:

然后从主机或任何其他容器我可以运行如下:

# curl http://172.17.0.3/

I can also use container linking if I don't want to muck around with ip addresses. For example, if the web container above is already running, I can link it to a new container:

如果我不想使用ip地址,我也可以使用容器链接。例如,如果上面的Web容器已经运行,我可以将它链接到一个新容器:

$ docker run --link web:web -it alpine sh

And then access it by name:

然后按名称访问它:

/ # wget -O- http://web/
<pre>
 ___ _    __        __         _          
|_ _| |_  \ \      / /__  _ __| | _____   
 | || __|  \ \ /\ / / _ \| '__| |/ / __|  
 | || |_    \ V  V / (_) | |  |   <\__ \_ 
|___|\__|    \_/\_/ \___/|_|  |_|\_\___(_)

</pre>