建立一个iptables规则文档/etc/iptables.conf,建立一个新的chain叫做FILTERS,并通过INPUT和DOCKER-USER将绝大部分需要添加的规则转交给FILTER处理,并通过编辑FILTER的规则实现统一管理INPUT和DOCKER-USER规则
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
-F INPUT
-F DOCKER-USER
-F FILTERS
-A INPUT -i lo -j ACCEPT
-A INPUT -i zt+ -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -j FILTERS
-A DOCKER-USER -i eth0 -j FILTERS
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FILTERS -m state --state NEW -s 1.2.3.4/32 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FILTERS -j DROP
COMMIT
通过以下命令将以上规则添加入iptables实现管理,不要遗忘这个-n参数,这样可以避免每次需要重启docker来添加docker规则
iptables-restore -n /etc/iptables.conf
最后建立systemctl服务,可以实现start, stop, restart, enable等工作。
vim /etc/systemd/system/iptables.service[Unit]
Description=Restore iptables firewall rules
Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore -n /etc/iptables.conf
[Install]
WantedBy=multi-user.targetsystemctl enable --now iptables
systemctl restart iptables