May 22, 2021 Docker From entry to practice
Container access control is managed and implemented primarily
iptables
firewall on Linux.
iptables
is the default firewall software on Linux and brings its own in most distributions.
For containers to access the external network, forwarding support from the local system is required. In a Linux system, check that forwarding is turned on.
$sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
If it's 0, you don't have forwarding turned on, so you need to open it manually.
$sysctl -w net.ipv4.ip_forward=1
If you set
--ip-forward=true
Docker service, Docker automatically sets the
ip_forward
parameter 1.
Containers are accessible to each other and require support from both sides.
docker0
bridge.
iptables
is allowed to pass.
When the Docker service is started, a forwarding policy is added to the FORWARD chain of iptables by default. W
hether the policy passes
ACCEPT
or
DROP
depends on the configuration
--icc=true
(default)
--icc=false
Of course, if you
--iptables=false
the
iptables
As you can see, network interoperability is allowed between different containers by default.
If for security reasons, you can configure
DOCKER_OPTS=--icc=false
to disable it.
/etc/default/docker
After you
-icc=false
you can also access the open port of the container through the
--link=CONTAINER_NAME:ALIAS
option.
For example, when you start the Docker service, you can
icc=false --iptables=true
the same time to turn off network access that allows each other and allows Docker to modify the
iptables
system.
At this point, the
iptables
system may be similar
$ sudo iptables -nL
...
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
...
After that, start the
docker run
--link=CONTAINER_NAME:ALIAS
option.
Docker adds an ACCEPT rule to each other's containers in
iptable
ACCEPT
mutual access to open ports (depending on the EXPOSE row in Dockerfile).
When you add
--link=CONTAINER_NAME:ALIAS
option, the
iptables
$ sudo iptables -nL
...
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 172.17.0.2 172.17.0.3 tcp spt:80
ACCEPT tcp -- 172.17.0.3 172.17.0.2 tcp dpt:80
DROP all -- 0.0.0.0/0 0.0.0.0/0
Note:
--link=CONTAINER_NAME:ALIAS
CONTAINER_NAME in
CONTAINER_NAME
must now be a name assigned by Docker, or a name
--name
parameter.
The host name is not recognized.