Docker高級(jí)教程之智能添加與修改防火墻規(guī)則

更新時(shí)間：2017年01月25日 09:25:07 作者：chengxuyuanyonghu

這篇文章主要介紹了Docker高級(jí)教程之智能添加與修改防火墻規(guī)則,需要的朋友可以參考下

資料簡(jiǎn)介：如果你有以下痛苦：

1、使用默認(rèn)docker0橋接方式；

2、修改防火墻規(guī)則的話，使用手動(dòng)修改配置；

3、并且修改時(shí)候還得計(jì)算來(lái)源端口，防止重復(fù)端口使用戶登陸錯(cuò)誤容器；

4、并當(dāng)容器意外重啟，內(nèi)網(wǎng)ip變化后還得修改規(guī)則

那么你可以看看本文了，對(duì)你這些痛處都有解決方法。

目前docker容器設(shè)置訪問(wèn)規(guī)則的話，就2個(gè)方法

1、在docker容器創(chuàng)建的時(shí)候，使用-p來(lái)設(shè)置

2、在容器運(yùn)行中，獲取容器的ip，然后在宿主機(jī)的iptables力通過(guò)nat鏈做dnat設(shè)置

我之前一直使用第2個(gè)方法，但隨著我docker項(xiàng)目的增加（目前我這里研發(fā)使用docker的容器做測(cè)試機(jī)），防火墻的訪問(wèn)規(guī)則設(shè)置起來(lái)十分麻煩，并且之前規(guī)劃沒(méi)有弄好，容器的網(wǎng)絡(luò)還是默認(rèn)的docker0橋接方式，這樣容器一掛或者異常問(wèn)題、docker daemon重啟，都會(huì)導(dǎo)致容器的ip變更，變更后就得修改防火墻策略，十分的麻煩。

為了解決這個(gè)問(wèn)題，我開(kāi)發(fā)了2個(gè)程序，1個(gè)是持久化固定容器ip，另外一個(gè)是智能防火墻，下面是關(guān)于智能防火墻功能的介紹。

一、介紹

1、編寫(xiě)語(yǔ)言

python

2、運(yùn)行環(huán)境

容器需要使用我之前寫(xiě)的持久化固定ip方式來(lái)創(chuàng)建
需要額外安裝的python模塊
etcd
docker
nmap

3、基本宿主機(jī)防火墻（包含filter鏈與nat鏈）

默認(rèn)在/root/firewall里有個(gè)基礎(chǔ)的宿主機(jī)防火墻，里面包含filter鏈與nat鏈，我的防火墻程序先獲取這個(gè)文件，然后在從etcd里獲取各容器的防火墻結(jié)合后是新的規(guī)則，如下面是我的

[root@docker-test3 firewall]# cat /root/firewall/iptables_base.txt
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:83]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i em1 -j ACCEPT
-A INPUT -i ovs1 -j ACCEPT
#forllow is room network
-A INPUT -s 117.121.x.0/24 -p tcp -m multiport --dports 50020 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
COMMIT
# Completed on Fri Dec 6 10:59:13 2013
*nat
:PREROUTING ACCEPT [2:269]
:POSTROUTING ACCEPT [1739:127286]
:OUTPUT ACCEPT [1739:127286]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.16.0.0/16 ! -d 172.16.0.0/16 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
COMMIT

其中50020是ssh端口,117.121.x.0/24是允許的網(wǎng)段，x的意思保密，不讓你們看我的網(wǎng)絡(luò)。

4、代碼

#!/usr/bin/env python
#-*- coding: utf-8 -*-
#author:Deng Lei
#email: dl528888@gmail.com
import os
import sys
import argparse
import etcd
import time
import socket, struct, fcntl
from docker import Client
import subprocess
import shutil
import nmap
def get_local_ip(iface = 'em1'):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sockfd = sock.fileno()
SIOCGIFADDR = 0x8915
ifreq = struct.pack('16sH14s', iface, socket.AF_INET, 'x00'*14)
try:
res = fcntl.ioctl(sockfd, SIOCGIFADDR, ifreq)
except:
return None
ip = struct.unpack('16sH2x4s8x', res)[2]
return socket.inet_ntoa(ip)
def docker_container_all():
docker_container=docker_client.containers(all=True)
container_name=[]
container_stop_name=[]
for i in docker_container:
container_name.append(i['Names'])
for b in container_name:
for c in b:
container_stop_name.append(c)
return container_stop_name
def docker_container_run():
docker_container=docker_client.containers()
container_name=[]
container_stop_name=[]
for i in docker_container:
container_name.append(i['Names'])
for b in container_name:
for c in b:
container_stop_name.append(c[1::])
return container_stop_name
if __name__ == "__main__":
#follow is help info
p = argparse.ArgumentParser(description='It is userful tool to modify docker container firewall')
p.add_argument("container_name",help="list local docker container name")
p.add_argument("-l","--list",help="show container firewall rules",action="store_true")
p.add_argument("-a","--add",help="add container firewall rules",action="store_true")
p.add_argument("-r","--rm",help="rm container firewall rules")
p.add_argument("-m","--mode",choices=["internal","external"],help="set container firewall mode")
p.add_argument("-s","--source",help="source ip view container firewall rules")
p.add_argument("-sp","--sport",help="source port view container firewall rules")
p.add_argument("-d","--dest",help="destination ip container firewall rules")
p.add_argument("-dp","--dport",help="destination port view container firewall rules")
p.add_argument("-pm","--portmode",choices=["dynamic","manual"],help="set container port mode")
p.add_argument("-e","--effect",help="effect container firewall rules",action="store_true")
p.add_argument("-ap","--addip",help="add external ip to container")
p.add_argument("-rp","--rmip",help="rm external ip to container")
args = p.parse_args()
local_ip=get_local_ip('ovs1')
docker_etcd_key='/app/docker/'
etcd_client=etcd.Client(host='127.0.0.1', port=4001)
docker_client = Client(base_url='unix://var/run/docker.sock', version='1.15', timeout=10)
docker_container_all_name=docker_container_all()
portmode='manual'
container_ip=''
#get container ip
r = etcd_client.read('%s%s'%(docker_etcd_key,local_ip), recursive=True, sorted=True)
for child in r.children:
if child.dir is not True and args.container_name in child.key and 'firewall' not in child.key:
container_ip=eval(child.value)['Container_ip']
if len(container_ip) == 0 and args.container_name != "all":
print 'This container:%s info is not in etcd!'%args.container_name
sys.exit(1)
if '/'+args.container_name not in docker_container_all_name and args.container_name != "all":
print 'local host docker is not container:%s!'%args.container_name
sys.exit(1)
if args.list:
try:
now_firewall_rule=etcd_client.read('%s%s/firewall/nat-%s'%(docker_etcd_key,local_ip,args.container_name)).value
except KeyError:
print 'This container:%s is not firewall rule!'%args.container_name
sys.exit(1)
if len(now_firewall_rule) >0:
now_firewall_rule=eval(now_firewall_rule)
print 'Follow is container:%s firewall rule!'%args.container_name
for i in now_firewall_rule:
print i
else:
print 'This container:%s is not firewall rule!'%args.container_name
sys.exit(1)
if args.portmode=="dynamic":
try:
now_port=etcd_client.read('%s%s/firewall/now_port'%(docker_etcd_key,local_ip)).value
except KeyError:
now_port='40000'
now_port=int(now_port) + 1
key='%s%s/firewall/now_port'%(docker_etcd_key,local_ip)
etcd_client.write(key,now_port)
portmode=args.portmode
elif args.portmode=="manual":
if len(args.sport)>0:
now_port=args.sport
else:
print 'no input source port'
key='%s%s/firewall/now_port'%(docker_etcd_key,local_ip)
etcd_client.write(key,now_port)
#add docker container firewall rule
if args.add:
if args.mode:
if args.source:
if args.source == "all":
source_ip='0.0.0.0/0.0.0.0'
else:
source_ip=args.source
if args.portmode=="dynamic":
sport=now_port
else:
sport=args.sport
if args.dport:
dport=args.dport
else:
print 'please input dest port!This port is container local port!'
sys.exit(1)
try:
now_id=len(eval(etcd_client.read('%s%s/firewall/nat-%s'%(docker_etcd_key,local_ip,args.container_name)).value))
except KeyError:
now_id='0'
except SyntaxError:
now_id='0'
now_id = int(now_id) + 1
if args.mode=="internal":
msg={'Id':now_id,'Mode':args.mode,'Container_name':args.container_name,'Source_ip':source_ip,'Port_mode':portmode,'Source_port':'%s'%sport,'Local_port':dport,'Container_ip':container_ip}
else:
if args.dest:
msg={'Id':now_id,'Mode':args.mode,'Container_name':args.container_name,'Source_ip':source_ip,'Destination_ip':args.dest,'Port_mode':portmode,'Source_port':'%s'%sport,'Local_port':dport,'Container_ip':container_ip}
else:
print 'please input destination ip'
sys.exit(1)
#add rule to iptables
try:
now_firewall_rule=etcd_client.read('%s%s/firewall/nat-%s'%(docker_etcd_key,local_ip,args.container_name)).value
now_firewall_rule=eval(now_firewall_rule)
except KeyError:
now_firewall_rule=[]
except SyntaxError:
now_firewall_rule=[]
for i in now_firewall_rule:
if msg['Local_port'] == i['Local_port'] and msg['Source_ip'] == i['Source_ip'] and msg['Mode'] == i['Mode'] and msg['Container_name'] == i['Container_name'] and msg['Source_port'] == i['Source_port']:
print 'This rule had exist!'
sys.exit(1)
now_firewall_rule.append(msg)
key='%s%s/firewall/nat-%s'%(docker_etcd_key,local_ip,args.container_name)
etcd_client.write(key,now_firewall_rule)
for i in now_firewall_rule:
print i
#del exist firewall rule
if args.rm:
try:
now_info=eval(etcd_client.read('%s%s/firewall/nat-%s'%(docker_etcd_key,local_ip,args.container_name)).value)
except KeyError:
print 'This Container:%s is not firewall rule!'%args.container_name
sys.exit(1)
except SyntaxError:
print 'This container:%s is not firewall rule!'%args.container_name
sys.exit(1)
old_id=[i['Id'] for i in now_info]
if args.rm != 'all':
if int(args.rm) not in old_id:
print 'you input rule id %s is not exit!'%args.rm
sys.exit(1)
for i in now_info:
if int(args.rm) == i['Id']:
now_info.remove(i)
print 'Follow is container_name:%s new firewall rule!'%args.container_name
for i in now_info:
print i
key='%s%s/firewall/nat-%s'%(docker_etcd_key,local_ip,args.container_name)
etcd_client.write(key,now_info)
sys.exit(0)
else:
now_info=''
key='%s%s/firewall/nat-%s'%(docker_etcd_key,local_ip,args.container_name)
etcd_client.write(key,now_info)
print 'This container_name:%s is not firewall rule!'%args.container_name
sys.exit(0)
#effect container firewall rule
if args.effect:
#check firewall filter exist
config_dir='/root/firewall'
iptables_config='iptables_base.txt'
if os.path.exists(config_dir) is False:
os.mkdir(config_dir)
if os.path.isfile('%s/%s'%(config_dir,iptables_config)) is False:
print 'no found base iptables config in %s/%s!'%(config_dir,iptables_config)
sys.exit(1)
docker_container_run=docker_container_run()
etcd_exist_firewall=[]
if args.container_name != "all":
container_name=args.container_name
try:
now_info=eval(etcd_client.read('%s%s/firewall/nat-%s'%(docker_etcd_key,local_ip,args.container_name)).value)
msg=[]
msg.append('#follow is container:%s firewall rulen'%args.container_name)
for i in now_info:
if 'Destination_ip' not in i:
text='-A DOCKER -s %s ! -i ovs2 -p tcp -m tcp --dport %s -j DNAT --to-destination %s:%s'%(i['Source_ip'],i['Source_port'],i['Container_ip'].split('/')[0],i['Local_port'])
msg.append('%sn'%text)
else:
text='-A DOCKER -s %s -d %s ! -i ovs2 -p tcp -m tcp --dport %s -j DNAT --to-destination %s:%s'%(i['Source_ip'],i['Destination_ip'],i['Source_port'],i['Container_ip'].split('/')[0],i['Local_port'])
msg.append('%sn'%text)
except SyntaxError:
msg=''
#wirte container firewall rule
iptables_new_config='iptables_nat_%s.txt'%args.container_name
f=open('%s/%s'%(config_dir,iptables_new_config),'w')
for i in msg:
f.write(i)
f.close()
else:
r = etcd_client.read('%s%s/firewall'%(docker_etcd_key,local_ip), recursive=True, sorted=True)
for child in r.children:
if child.dir is not True and 'nat' in child.key and child.key.split('/')[-1].split('nat-')[-1] in docker_container_run:
#etcd_exist_firewall.append(child.key.split('/')[-1].split('nat-')[-1])
try:
now_info=eval(etcd_client.read(child.key).value)
msg=[]
msg.append('#follow is container:%s firewall rulen'%child.key.split('/')[-1].split('nat-')[-1])
for i in now_info:
if 'Destination_ip' not in i:
text='-A DOCKER -s %s ! -i ovs2 -p tcp -m tcp --dport %s -j DNAT --to-destination %s:%s'%(i['Source_ip'],i['Source_port'],i['Container_ip'].split('/')[0],i['Local_port'])
msg.append('%sn'%text)
else:
text='-A DOCKER -s %s -d %s ! -i ovs2 -p tcp -m tcp --dport %s -j DNAT --to-destination %s:%s'%(i['Source_ip'],i['Destination_ip'],i['Source_port'],i['Container_ip'].split('/')[0],i['Local_port'])
msg.append('%sn'%text)
except SyntaxError:
msg=''
#wirte container firewall rule
iptables_new_config='iptables_nat_%s.txt'%child.key.split('/')[-1].split('nat-')[-1]
f=open('%s/%s'%(config_dir,iptables_new_config),'w')
for i in msg:
f.write(i)
f.close()
#get now all container firewall rule
all_firewall_file=[]
for parent,dirnames,filenames in os.walk(config_dir):
for filename in filenames:
if 'iptables_nat' in filename:
all_firewall_file.append(os.path.join(parent,filename))
#get iptables base file line
count = len(open('%s/%s'%(config_dir,iptables_config),'rU').readlines())
modify_post=int(count)-1
f=open('%s/%s'%(config_dir,iptables_config),'r+')
flist=f.readlines()
flist[modify_post]=''
f=open
for i in all_firewall_file:
f=open(i)
try:
container_text=f.read()
finally:
f.close()
flist.append(container_text)
flist.append('COMMITn')
f=open('%s/temp_iptables.txt'%config_dir,'w')
for i in flist:
f.write(i)
f.close()
#apply new firewall rule
shutil.copy('%s/temp_iptables.txt'%config_dir,'/etc/sysconfig/iptables')
#restart firewall
firewall_status=((subprocess.Popen("systemctl restart iptables &>>/dev/null && echo 0 || echo 1",shell=True,stdout=subprocess.PIPE)).stdout.readlines()[0]).strip('n')
if firewall_status != "0":
print 'firewall rule has problem!'
sys.exit(1)
else:
print 'config firewall rule is success!'
sys.exit(0)
if args.addip:
if '/' not in args.addip:
print 'please input ip:netmask!'
sys.exit(1)
external_ip=args.addip.split('/')[0]
external_ip_netmask=args.addip.split('/')[1]
#nmap ip exist!
nm = nmap.PortScanner()
nmap_result=nm.scan(external_ip,'60020')['nmap']['scanstats']['uphosts']
if int(nmap_result) == 1:
print 'you input ip:%s is online!'%external_ip
sys.exit(1)
try:
now_ip=eval(etcd_client.read('%s%s/external_ip/%s'%(docker_etcd_key,local_ip,external_ip)).value)
if now_ip['Container_name'] != args.container_name:
print 'this is external ip:%s is has used by container:%s.if you want to use it again,please delete this key:%s.'%(args.addip,now_ip['Container_name'],'%s%s/external_ip/%s'%(docker_etcd_key,local_ip,external_ip))
sys.exit(1)
except KeyError:
pass

#get device info
try:
now_device=etcd_client.read('%s%s/external_ip/device'%(docker_etcd_key,local_ip)).value
except KeyError:
now_device='em2:0'
new_device=now_device.split(':')[0]+':'+str(int(now_device.split(':')[1])+1)
key='%s%s/external_ip/device'%(docker_etcd_key,local_ip)
etcd_client.write(key,new_device)
#add new external ip in localhost
if int(external_ip_netmask) == 8:
external_ip_netmask='255.0.0.0'
elif int(external_ip_netmask) == 16:
external_ip_netmask='255.255.0.0'
elif int(external_ip_netmask) == 24:
external_ip_netmask='255.255.255.0'
elif int(external_ip_netmask) == 32:
external_ip_netmask='255.255.255.255'
else:
print 'you input netmask %s i can not calculate'%external_ip_netmask
sys.exit(1)
add_external_ip_status=((subprocess.Popen("/sbin/ifconfig %s %s netmask %s up &>>/dev/null && echo 0 || echo 1"%(new_device,external_ip,external_ip_netmask),shell=True,stdout=subprocess.PIPE)).stdout.readlines()[0]).strip('n')
if add_external_ip_status != "0":
print 'add external ip:%s is fail!'%args.addip
sys.exit(1)
else:
print 'add external ip:%s is success!'%args.addip
key='%s%s/external_ip/%s'%(docker_etcd_key,local_ip,external_ip)
info={'Ip':external_ip,'Netmask':external_ip_netmask,'Container_name':args.container_name,'Device':new_device,'Date':time.strftime('%Y.%m.%d-%T')}
etcd_client.write(key,info)
sys.exit(0)
if args.rmip:
try:
now_ip=eval(etcd_client.read('%s%s/external_ip/%s'%(docker_etcd_key,local_ip,args.rmip)).value)
except KeyError:
print 'This external ip:%s is not use in etcd!'%args.rmip
sys.exit(1)
if now_ip['Container_name'] != args.container_name:
print 'this is external ip:%s is has used by container:%s.if you want to delete it,please input correct container:%s and external ip:%s.'%(args.rmip,now_ip['Container_name'],now_ip['Container_name'],now_ip['Ip'])
sys.exit(1)
#delete use external ip in localhost
delete_external_ip_status=((subprocess.Popen("/sbin/ifconfig %s down &>>/dev/null && echo 0 || echo 1"%(now_ip['Device']),shell=True,stdout=subprocess.PIPE)).stdout.readlines()[0]).strip('n')
if delete_external_ip_status != "0":
print 'delete external ip:%s is fail!'%args.rmip
sys.exit(1)
else:
print 'delete external ip:%s is success!'%args.rmip
key='%s%s/external_ip/%s'%(docker_etcd_key,local_ip,args.rmip)
etcd_client.delete(key)
sys.exit(0)
sys.exit(1)

建議根據(jù)自己實(shí)際環(huán)境來(lái)修改上面代碼，我這個(gè)僅是讓大家參考我的運(yùn)行方式，以及可以使用這個(gè)東東來(lái)解決自己的問(wèn)題，大家如果有其他的方法也可以使用。

二、運(yùn)行

1、使用幫助

[root@docker-test3 code]# python modify_docker_container_firewall.py -h
usage: modify_docker_container_firewall.py [-h] [-l] [-a] [-r RM]
[-m {internal,external}]
[-s SOURCE] [-sp SPORT] [-d DEST]
[-dp DPORT] [-pm {dynamic,manual}]
[-e] [-ap ADDIP] [-rp RMIP]
container_name

It is userful tool to modify docker container firewall

positional arguments:
container_name list local docker container name

optional arguments:
-h, --help show this help message and exit
-l, --list show container firewall rules
-a, --add add container firewall rules
-r RM, --rm RM rm container firewall rules
-m {internal,external}, --mode {internal,external}
set container firewall mode
-s SOURCE, --source SOURCE
source ip view container firewall rules
-sp SPORT, --sport SPORT
source port view container firewall rules
-d DEST, --dest DEST destination ip container firewall rules
-dp DPORT, --dport DPORT
destination port view container firewall rules
-pm {dynamic,manual}, --portmode {dynamic,manual}
set container port mode
-e, --effect effect container firewall rules
-ap ADDIP, --addip ADDIP
add external ip to container
-rp RMIP, --rmip RMIP
rm external ip to container

說(shuō)明：

-l是展示當(dāng)前容器的所有防火墻規(guī)則，后面不加值

-a是進(jìn)行增加容器防火墻規(guī)則，后面不加值

-r是刪除容器規(guī)則，后面是防火墻的id值

-m是防火墻規(guī)則的模式，有internal（內(nèi)部模式）與external（外部模式），如果你使用跟宿主機(jī)一樣出口ip的話，選擇

internal，如果使用獨(dú)立的外網(wǎng)ip，就選擇external

-s是來(lái)源ip，后面是ip/netmask模式

-sp是來(lái)源訪問(wèn)端口，后面需要輸入允許外邊訪問(wèn)進(jìn)來(lái)的端口

-d是指定獨(dú)立的外網(wǎng)ip，后面需要輸入ip值

-dp是指定訪問(wèn)容器的端口，后面是屬于端口值

-pm是指定來(lái)源端口的模式，有dynamic與manual模式，如果選擇dynamic就不需要你指定來(lái)源端口值，會(huì)自動(dòng)生成一個(gè)值，使

用manual的話，就需要你手動(dòng)輸入一個(gè)來(lái)源端口值

-e是設(shè)置好防火墻后，應(yīng)用此防火墻策略，也就是在iptables里生效，后面不加值

-ap是在本機(jī)增加獨(dú)立的外網(wǎng)ip，后面是ip/netmask模式

-rp是刪除本機(jī)獨(dú)立外網(wǎng)ip，后面是ip模式

2、查看test1的規(guī)則

目前我本機(jī)有test1-3這3個(gè)容器

[root@docker-test3 code]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c07b67c2382a docker.ops-chukong.com:5000/centos6-http:new "/usr/bin/supervisor 40 hours ago Up 40 hours test2
7c31bbfe0091 docker.ops-chukong.com:5000/centos6-http:new "/usr/bin/supervisor 3 days ago Up 15 hours test1
5eede798f189 docker.ops-chukong.com:5000/centos6-http:new "/usr/bin/supervisor 3 days ago Exited (0) 24 hours ago test3

其中test1與test2都使用持久化固定ip了，test3沒(méi)有

現(xiàn)在使用智能防火墻查看test1 的防火墻

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -l
This container:test1 is not firewall rule!
[root@docker-test3 code]# python modify_docker_container_firewall.py test2 -l
This container:test2 is not firewall rule!
[root@docker-test3 code]# python modify_docker_container_firewall.py test3 -l
This container:test3 info is not in etcd!

可以看到test1與test2都是沒(méi)有規(guī)則的，而test3每一使用持久化固定ip，所以沒(méi)辦法查看數(shù)據(jù)

3、添加規(guī)則

先給test1添加內(nèi)部模式規(guī)則-m internal，這樣能使用docker宿主機(jī)的外網(wǎng)ip+port訪問(wèn)

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -a -m internal -s 1.1.1.1/24 -pm dynamic -dp 22
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40030', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '1.1.1.1/24', 'Id': 1, 'Container_ip': '172.16.1.2/24'}

這樣是給與test1容器設(shè)置，允許1.1.1.1/24通過(guò)40030（使用動(dòng)態(tài)模式自動(dòng)生成訪問(wèn)端口），訪問(wèn)test1的22端口

其中test1的容器ip自動(dòng)查看，不需要收到查找與手動(dòng)輸入

說(shuō)明

Mode是運(yùn)行的模式

Container_name是對(duì)應(yīng)容器名

Source_port是來(lái)源端口

Port_mode是指端口模式為動(dòng)態(tài)獲取

Local_port是目的端口

Source_ip是來(lái)源ip

Id是指防火墻規(guī)則的id，后面可以通過(guò)指定id來(lái)刪除規(guī)則

Container_ip是容器的ip

以上數(shù)據(jù)均是在使用持久化故障ip腳本生成容器的時(shí)候，程序自動(dòng)把數(shù)據(jù)寫(xiě)入到etcd里，然后只能防火墻也通過(guò)etcd獲取數(shù)據(jù)

在給test1添加一個(gè)使用手動(dòng)模式設(shè)置來(lái)源端口

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -a -m internal -s 1.1.1.1/24 -pm manual -sp 400031 -dp 22
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40030', 'Source_ip': '1.1.1.1/24', 'Local_port': '22', 'Port_mode': 'dynamic', 'Id': 1, 'Container_ip': '172.16.1.2/24'}
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '400031', 'Port_mode': 'manual', 'Local_port': '22', 'Source_ip': '1.1.1.1/24', 'Id': 2, 'Container_ip': '172.16.1.2/24'}

如果指定的來(lái)源端口相同，并且來(lái)源ip也相同會(huì)報(bào)錯(cuò)

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -a -m internal -s 1.1.1.1/24 -pm manual -sp 40031 -dp 22
This rule had exist!

現(xiàn)在通過(guò)-l參數(shù)來(lái)查看當(dāng)前test1的規(guī)則

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -l
Follow is container:test1 firewall rule!
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40030', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '1.1.1.1/24', 'Id': 1, 'Container_ip': '172.16.1.2/24'}
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40031', 'Source_ip': '1.1.1.1/24', 'Local_port': '22', 'Port_mode': 'manual', 'Id': 2, 'Container_ip': '172.16.1.2/24'}

可以看到有2個(gè)剛才輸入的規(guī)則

4、防火墻規(guī)則生效

先查看當(dāng)前宿主機(jī)防火墻

[root@docker-test3 code]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 117K packets, 11M bytes)
pkts bytes target prot opt in out source destination
15431 914K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 11906 packets, 716K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1462 packets, 86817 bytes)
pkts bytes target prot opt in out source destination
24 1424 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 4994 packets, 234K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 172.16.0.0/16 !172.16.0.0/16
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination

可以看到只有默認(rèn)的nat規(guī)則，其他的沒(méi)有

現(xiàn)在使用-e參數(shù)來(lái)生效

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -e
config firewall rule is success!

可以看到運(yùn)行成功

[root@docker-test3 code]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 53 packets, 5242 bytes)
pkts bytes target prot opt in out source destination
5 300 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 5 packets, 300 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 172.16.0.0/16 !172.16.0.0/16
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- !ovs2 * 1.1.1.0/24 0.0.0.0/0 tcp dpt:40030 to:172.16.1.2:22
0 0 DNAT tcp -- !ovs2 * 1.1.1.0/24 0.0.0.0/0 tcp dpt:40031 to:172.16.1.2:22

規(guī)則已經(jīng)運(yùn)行了

在去配置文件里看看

[root@docker-test3 code]# tail -n 12 /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [2:269]
:POSTROUTING ACCEPT [1739:127286]
:OUTPUT ACCEPT [1739:127286]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.16.0.0/16 ! -d 172.16.0.0/16 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
#follow is container:test1 firewall rule
-A DOCKER -s 1.1.1.1/24 ! -i ovs2 -p tcp -m tcp --dport 40030 -j DNAT --to-destination 172.16.1.2:22
-A DOCKER -s 1.1.1.1/24 ! -i ovs2 -p tcp -m tcp --dport 40031 -j DNAT --to-destination 172.16.1.2:22
COMMIT

也是跟我們之前配置的一樣，并且每個(gè)容器規(guī)則上面都有標(biāo)示下面規(guī)則是屬于哪個(gè)容器的，方便查看

5、刪除防火墻規(guī)則

當(dāng)前test1 的規(guī)則

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -l
Follow is container:test1 firewall rule!
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40030', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '1.1.1.1/24', 'Id': 1, 'Container_ip': '172.16.1.2/24'}
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40031', 'Source_ip': '1.1.1.1/24', 'Local_port': '22', 'Port_mode': 'manual', 'Id': 2, 'Container_ip': '172.16.1.2/24'}

使用-r來(lái)刪除，-r后面輸入id

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -r 2
Follow is container_name:test1 new firewall rule!
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40030', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '1.1.1.1/24', 'Id': 1, 'Container_ip': '172.16.1.2/24'}

然后-e生效

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -e
config firewall rule is success!
[root@docker-test3 code]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 4 packets, 200 bytes)
pkts bytes target prot opt in out source destination
3 168 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 172.16.0.0/16 !172.16.0.0/16
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- !ovs2 * 1.1.1.0/24 0.0.0.0/0 tcp dpt:40030 to:172.16.1.2:22
[root@docker-test3 code]# tail -n 12 /etc/sysconfig/iptables
# Completed on Fri Dec 6 10:59:13 2013
*nat
:PREROUTING ACCEPT [2:269]
:POSTROUTING ACCEPT [1739:127286]
:OUTPUT ACCEPT [1739:127286]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.16.0.0/16 ! -d 172.16.0.0/16 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
#follow is container:test1 firewall rule
-A DOCKER -s 1.1.1.1/24 ! -i ovs2 -p tcp -m tcp --dport 40030 -j DNAT --to-destination 172.16.1.2:22
COMMIT

可以看到已經(jīng)智能自動(dòng)修改了

6、添加額外的外網(wǎng)ip

使用-ap來(lái)添加

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -ap 117.121.x.99/24
add external ip:117.121.x.99/24 is success!
[root@docker-test3 code]# ping 117.121.x.99 -c 2
PING 117.121.x.99 (117.121.x.99) 56(84) bytes of data.
64 bytes from 117.121.x.99: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 117.121.x.99: icmp_seq=2 ttl=64 time=0.032 ms
--- 117.121.x.99 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.032/0.035/0.039/0.006 ms

可以看到已經(jīng)添加成功，并且能ping通，安全起見(jiàn)，我把額外的外網(wǎng)ip第三位添加個(gè)x，防止壞人掃描。

在通過(guò)修改防火墻來(lái)設(shè)置外部模式策略

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -a -m external -pm dynamic -s all -d 117.121.x.99 -dp 22
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40030', 'Source_ip': '1.1.1.1/24', 'Local_port': '22', 'Port_mode': 'dynamic', 'Id': 1, 'Container_ip': '172.16.1.2/24'}
{'Destination_ip': '117.121.x.99', 'Mode': 'external', 'Container_name': 'test1', 'Source_port': '40033', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '0.0.0.0/0.0.0.0', 'Id': 2, 'Container_ip': '172.16.1.2/24'}

備注：其中-s all是允許所有公網(wǎng)ip訪問(wèn)

然后生效

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -e
config firewall rule is success!
[root@docker-test3 code]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 16 packets, 1308 bytes)
pkts bytes target prot opt in out source destination
1 60 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 172.16.0.0/16 !172.16.0.0/16
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- !ovs2 * 1.1.1.0/24 0.0.0.0/0 tcp dpt:40030 to:172.16.1.2:22
0 0 DNAT tcp -- !ovs2 * 0.0.0.0/0 117.121.x.99 tcp dpt:40033 to:172.16.1.2:22

然后ssh登陸試試

[root@docker-test3 code]# ssh 117.121.x.99 -l root -p 40033
The authenticity of host '[117.121.x.99]:40033 ([117.121.x.99]:40033)' can't be established.
RSA key fingerprint is 39:7c:13:9f:d4:b0:d7:63:fc:ff:ae:e3:46:a4:bf:6b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[117.121.x.99]:40033' (RSA) to the list of known hosts.
root@117.121.x.99's password:
Last login: Thu Mar 12 11:04:04 2015 from 211.151.20.221
root@7c31bbfe0091:~
11:04:57 # ifconfig
eth1 Link encap:Ethernet HWaddr 66:17:20:C3:4E:21
inet addr:172.16.1.2 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::6417:20ff:fec3:4e21/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:606 errors:0 dropped:2 overruns:0 frame:0
TX packets:411 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:52692 (51.4 KiB) TX bytes:45451 (44.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

可以設(shè)置的外網(wǎng)ip可以正常登陸到test1的容器里

7、測(cè)試批量生效防火墻策略

目前僅有test1有防火墻測(cè)試了，現(xiàn)在給test2也設(shè)置

[root@docker-test3 code]# python modify_docker_container_firewall.py test2 -a -m internal -s 1.1.1.1/24 -pm dynamic -dp 22
{'Mode': 'internal', 'Container_name': 'test2', 'Source_port': '40034', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '0.0.0.0/0.0.0.0', 'Id': 1, 'Container_ip': '172.16.1.4/24'}
{'Mode': 'internal', 'Container_name': 'test2', 'Source_port': '40035', 'Source_ip': '0.0.0.0/0.0.0.0', 'Local_port': '22', 'Port_mode': 'dynamic', 'Id': 2, 'Container_ip': '172.16.1.4/24'}
{'Mode': 'internal', 'Container_name': 'test2', 'Source_port': '40036', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '1.1.1.1/24', 'Id': 3, 'Container_ip': '172.16.1.4/24'}

然后我在修改一下test1的

[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -a -m internal -s 2.2.2.2/24 -pm dynamic -dp 22
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40030', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '1.1.1.1/24', 'Id': 1, 'Container_ip': '172.16.1.2/24'}
{'Destination_ip': '117.121.x.99', 'Mode': 'external', 'Container_name': 'test1', 'Source_port': '40033', 'Source_ip': '0.0.0.0', 'Local_port': '22', 'Port_mode': 'dynamic', 'Id': 2, 'Container_ip': '172.16.1.2/24'}
{'Mode': 'internal', 'Container_name': 'test1', 'Source_port': '40037', 'Port_mode': 'dynamic', 'Local_port': '22', 'Source_ip': '2.2.2.2/24', 'Id': 3, 'Container_ip': '172.16.1.2/24'}

之前如果想動(dòng)態(tài)生效需要知道容器名，下面可以把容器名那里輸入all，就可以生效所有已經(jīng)設(shè)置的規(guī)則

[root@docker-test3 code]# python modify_docker_container_firewall.py all -e
config firewall rule is success!
[root@docker-test3 code]# iptables -t nat -L -nv
Chain PREROUTING (policy ACCEPT 20 packets, 1914 bytes)
pkts bytes target prot opt in out source destination
1 60 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 172.16.0.0/16 !172.16.0.0/16
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- !ovs2 * 1.1.1.0/24 0.0.0.0/0 tcp dpt:40030 to:172.16.1.2:22
0 0 DNAT tcp -- !ovs2 * 0.0.0.0 117.121.x.99 tcp dpt:40033 to:172.16.1.2:22
0 0 DNAT tcp -- !ovs2 * 2.2.2.0/24 0.0.0.0/0 tcp dpt:40037 to:172.16.1.2:22
0 0 DNAT tcp -- !ovs2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:40034 to:172.16.1.4:22
0 0 DNAT tcp -- !ovs2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:40035 to:172.16.1.4:22
0 0 DNAT tcp -- !ovs2 * 1.1.1.0/24 0.0.0.0/0 tcp dpt:40036 to:172.16.1.4:22
[root@docker-test3 code]# tail -n 15 /etc/sysconfig/iptables
:POSTROUTING ACCEPT [1739:127286]
:OUTPUT ACCEPT [1739:127286]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.16.0.0/16 ! -d 172.16.0.0/16 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
#follow is container:test1 firewall rule
-A DOCKER -s 1.1.1.1/24 ! -i ovs2 -p tcp -m tcp --dport 40030 -j DNAT --to-destination 172.16.1.2:22
-A DOCKER -s 0.0.0.0 -d 117.121.x.99 ! -i ovs2 -p tcp -m tcp --dport 40033 -j DNAT --to-destination 172.16.1.2:22
-A DOCKER -s 2.2.2.2/24 ! -i ovs2 -p tcp -m tcp --dport 40037 -j DNAT --to-destination 172.16.1.2:22
#follow is container:test2 firewall rule
-A DOCKER -s 0.0.0.0/0.0.0.0 ! -i ovs2 -p tcp -m tcp --dport 40034 -j DNAT --to-destination 172.16.1.4:22
-A DOCKER -s 0.0.0.0/0.0.0.0 ! -i ovs2 -p tcp -m tcp --dport 40035 -j DNAT --to-destination 172.16.1.4:22
-A DOCKER -s 1.1.1.1/24 ! -i ovs2 -p tcp -m tcp --dport 40036 -j DNAT --to-destination 172.16.1.4:22
COMMIT

很簡(jiǎn)單吧，比以前需要找到容器的ip，然后收到去防火墻里修改，并且修改的時(shí)候，還得計(jì)算給予的來(lái)源端口，現(xiàn)在是否舒服很多，以后有平臺(tái)想使用的話，直接調(diào)用就可以。

8、刪除額外的外網(wǎng)ip

使用rp參數(shù)

[root@docker-test3 code]# python modify_docker_container_firewall.py test2 -rp 117.121.x.99
this is external ip:117.121.x.99 is has used by container:test1.if you want to delete it,please input correct container:test1 and external ip:117.121.x.99.
[root@docker-test3 code]# python modify_docker_container_firewall.py test1 -rp 117.121.x.99
delete external ip:117.121.x.99 is success!

刪除的時(shí)候，還必須制定對(duì)應(yīng)的容器與額外外網(wǎng)ip，否則刪除失敗，但提供對(duì)于的容器與ip

[root@docker-test3 code]# ping -c2 117.121.x.99
PING 117.121.x.99 (117.121.x.99) 56(84) bytes of data.
From 117.121.x.3 icmp_seq=1 Destination Host Unreachable
From 117.121.x.3 icmp_seq=2 Destination Host Unreachable
--- 117.121.x.99 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1000ms
pipe 2

可以看到已經(jīng)刪除完成，ping不通了。

目前docker方面的文章，已經(jīng)完成了：

1、安裝docker

2、動(dòng)態(tài)擴(kuò)容docker容器的空間

3、動(dòng)態(tài)綁定volume

4、docker多主機(jī)網(wǎng)絡(luò)互聯(lián)

5、docker持久化固定ip

6、docker智能添加與修改防火墻

以后有空給大家分享Docker集群與平臺(tái)方面知識(shí)，希望大家多提意見(jiàn)。

您可能感興趣的文章: