When you run third-party services docker usually we need to bind service port to the local host. But the -p parameter of port mapping will be automatically created in iptables rules, bypassing firewalld, which control management is very unfavorable for port-level black and white list, so we need to manually modify iptables.
Here to create a container from image called centos.19.09.05 example:
First of all, if the system is CentOS7 then need to turn off the firewall that comes with firewalld and switch to iptables.
Suppose you want to map the new container port 27017 to 27017 host port, under normal circumstances we use the command
docker run -idt -p 27017:27017 centos.19.09.05 /bin/bash
27017 port in the container after the service up and running, we use external network port scanning tool, found that the local host port 27017 has been opened, and we have not carried out operations in the open on the firewall; this time to check iptabes rules:
iptables --list
Found in the Chain DOCKER more out of a
Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:27017
IP 172.17.0.2 for the container in which the bridge docker in, showing that the rule allows any source address of the access port 27017, so we need to delete the rule, and replaced with more security rules.
Rule # 1 Delete Docker chain; If the delete rule is not to be located in the first row, then the row number corresponds to the digital iptables -D Docker 1 # container accepts only from this address 123.345.456.567 connection request iptables -A Docker -s 123.345 . 456.567 -d 172.17 . 0.2 -p TCP --sport 27017 - J ACCEPT # accept all requests from the host bridge docker0 hope this alternative access to the host vessel iptables -A Docker -s 172.17 . 0.0 / 24- -j ACCEPT
Port scan again found 27017 port has been closed, only the host IP 123.234.345.456 can be connected.