Port restrictions specify IP access

Aug 28, 202299

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

The document discusses configuring firewall rules using `iptables` for both host and Docker service ports. 1. **Host Service Port**: It shows how to block all access to port 80 except for a specific IP (1.2.3.4) using `iptables` commands. 2. **Docker Service Port**: For Docker services, it explains that rules must be added to the `DOCKER-USER` chain to allow access to port 80 from a specific IP, as Docker modifies `iptables` rules. 3. **Environment Cleanup**: It provides instructions for installing `iptables-services` and ensuring that the `iptables` settings persist after a reboot. 4. **Reference**: A link to Docker's documentation on `iptables` is provided.

1. Host Service Port#

$ iptables -I INPUT -p tcp --dport 80 -j DROP
$ iptables -I INPUT -p tcp -s 1.2.3.4 --dport 80 -j ACCEPT

Here, only 1.2.3.4 is allowed to access the local host's port 80.

2. Docker Service Port#

For services running with commands like docker run -d -p 80:80 shaowenchen/demo-whoami, the above method is ineffective, and rules need to be added to the DOCKER-USER chain.

Docker will add iptables rules to the DOCKER chain, and if you need to add rules before Docker, they should be added to the DOCKER-USER chain.

$ iptables -I DOCKER-USER -i ens190 ! -s 1.2.3.4 -p tcp --dport 80 -j DROP

ens190 is the local network interface, and here only 1.2.3.4 is allowed to access the local host's port 80.

3. Clean Environment#

$ yum install -y iptables-services
$ systemctl restart iptables.service

If you need the iptables settings to remain effective after the host restarts, you need to install iptables-services and save the settings.

$ yum install -y iptables-services
$ service iptables save

4. References#

https://docs.docker.com/network/iptables/