Created
March 22, 2017 16:54
-
-
Save Shawyeok/690d79ca87656b3dbb4c9e0d0fd3c88a to your computer and use it in GitHub Desktop.
Revisions
-
Shawyeok created this gist
Mar 22, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,23 @@ # For example, I have a redis container, I want it only serve for specific IP addresses: 172.31.101.37, 172.31.101.38 $ docker run -d -p 6379:6379 redis:2.8 # After start redis container, the iptables looks like this: $ iptables -t filter -nL Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:6379 # Get the IP address of redis container $ docker inspect --format='{{.NetworkSettings.Networks.IPAddress}}' redis 172.17.0.2 # Create custom chain: $ iptables -N CUSTOM_REDIS $ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 172.31.101.37 --destination 172.17.0.2 -j ACCEPT $ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 172.31.101.38 --destination 172.17.0.2 -j ACCEPT $ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 0.0.0.0/0 --destination 172.17.0.2 -j DROP # Replace the original rule with custom chain: $ iptables -R DOCKER 1 -p tcp --source 0.0.0.0/0 --destination 172.17.0.2 --dport 6379 -j CUSTOM_REDIS # Now my redis can only access by IP addresses: 172.31.101.37 and 172.31.101.38