{"id":63,"date":"2024-08-03T20:52:16","date_gmt":"2024-08-03T17:52:16","guid":{"rendered":"https:\/\/casp.ru\/?p=63"},"modified":"2024-08-03T20:52:16","modified_gmt":"2024-08-03T17:52:16","slug":"docker-iptables","status":"publish","type":"post","link":"https:\/\/casp.ru\/?p=63","title":{"rendered":"docker iptables"},"content":{"rendered":"\n\u0427\u0442\u043e\u0431\u044b \u0434\u043e\u043a\u0435\u0440 \u043d\u0435 \u043f\u043e\u0440\u0442\u0438\u043b iprables \u043d\u0443\u0436\u043d\u043e \u0437\u0430\u043f\u0440\u0435\u0442\u0438\u0442\u044c \u0435\u043c\u0443 \u0441\u0430\u043c\u043e\u0441\u0442\u043e\u044f\u0442\u0435\u043b\u044c\u043d\u043e \u043c\u0435\u043d\u044f\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u0438 \u0432\u0440\u0443\u0447\u043d\u0443\u044e \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u0430 nat \u0438 \u043f\u0440\u043e\u0447\u0435\u0435 \u0447\u0442\u043e \u043e\u0431\u044b\u0447\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u0435\u0442 \u0441\u0430\u043c \u0434\u043e\u043a\u0435\u0440.\n\n\u0414\u0435\u043b\u0430\u0435\u043c:\n
iptables -t nat -N DOCKER\niptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER\niptables -t nat -A OUTPUT ! -d 127.0.0.0\/8 -m addrtype --dst-type LOCAL -j DOCKER\niptables -t nat -A POSTROUTING -s 172.17.0.0\/16 ! -o docker0 -j MASQUERADE\niptables -t nat -A DOCKER -i docker0 -j RETURN\niptables -N DOCKER\niptables -A FORWARD -o docker0 -j DOCKER\n\n<\/pre>\n\u0414\u0430\u043b\u0435\u0435 \u0437\u0430\u043f\u0440\u0435\u0449\u0430\u0435\u043c \u0434\u0435\u043c\u043e\u043d\u0443 docker \u043c\u0435\u043d\u044f\u0442\u044c iptables. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u043e\u0442\u043a\u0440\u044b\u0432\u0430\u0435\u043c \u0444\u0430\u0439\u043b \u00a0\/usr\/lib\/systemd\/system\/docker.service \u0438 \u0440\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u0443\u0435\u043c \u0441\u0442\u0440\u043e\u043a\u0443. \u041f\u043e\u0441\u043b\u0435 \u0447\u0435\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u0447\u0438\u0442\u0430\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433 \u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0442\u044c \u0434\u0435\u043c\u043e\u043d\u0430. \u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435 — \u0432\u0441\u0435 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u044b \u0442\u0430\u043a \u0436\u0435 \u0431\u0443\u0434\u0443\u0442 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0449\u0435\u043d\u044b.\n
sed -i \\'s,^ExecStart=.*$,ExecStart=\/usr\/bin\/docker daemon -H fd:\/\/ --iptables=false,g\\'\u00a0\\\\\n\/usr\/lib\/systemd\/system\/docker.service<\/pre>\n\u041f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a:\n
systemctl daemon-reload\nsystemctl restart docker<\/pre>\n \n\n\u0418 \u0435\u0441\u043b\u0438 INPUT \u00a0\u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e \u0434\u0440\u043e\u043f\u0430\u0435\u0442 \u043f\u0430\u043a\u0435\u0442\u044b — \u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0442\u044c \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0434\u043e\u043a\u0435\u0440\u043e\u043c \u043f\u043e\u0440\u0442\u044b.\n
iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT\niptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT\niptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m comment --comment \\\"WEB ACCESS\\\" -j ACCEPT<\/pre>\n \n\n \n","protected":false},"excerpt":{"rendered":"
\u0427\u0442\u043e\u0431\u044b \u0434\u043e\u043a\u0435\u0440 \u043d\u0435 \u043f\u043e\u0440\u0442\u0438\u043b iprables \u043d\u0443\u0436\u043d\u043e \u0437\u0430\u043f\u0440\u0435\u0442\u0438\u0442\u044c \u0435\u043c\u0443 \u0441\u0430\u043c\u043e\u0441\u0442\u043e\u044f\u0442\u0435\u043b\u044c\u043d\u043e \u043c\u0435\u043d\u044f\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u0438 \u0432\u0440\u0443\u0447\u043d\u0443\u044e \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u043f\u0440\u0430\u0432\u0438\u043b\u0430 nat \u0438 \u043f\u0440\u043e\u0447\u0435\u0435 \u0447\u0442\u043e \u043e\u0431\u044b\u0447\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u0435\u0442 \u0441\u0430\u043c \u0434\u043e\u043a\u0435\u0440. \u0414\u0435\u043b\u0430\u0435\u043c: iptables -t nat -N DOCKER iptables -t nat -A PREROUTING -m addrtype —dst-type LOCAL -j DOCKER<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-63","post","type-post","status-publish","format-standard","hentry","category-docker","entry"],"_links":{"self":[{"href":"https:\/\/casp.ru\/index.php?rest_route=\/wp\/v2\/posts\/63","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/casp.ru\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/casp.ru\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/casp.ru\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/casp.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=63"}],"version-history":[{"count":1,"href":"https:\/\/casp.ru\/index.php?rest_route=\/wp\/v2\/posts\/63\/revisions"}],"predecessor-version":[{"id":64,"href":"https:\/\/casp.ru\/index.php?rest_route=\/wp\/v2\/posts\/63\/revisions\/64"}],"wp:attachment":[{"href":"https:\/\/casp.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=63"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/casp.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=63"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/casp.ru\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=63"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}