iptables에서 원격 액세스를 방지하는 방법

tag-icon tag-icon iptables firewall
iptables에서 원격 액세스를 방지하는 방법

docker-compose를 사용하여 iptables를 설정했지만 서버가 여전히 원격 액세스 시도를 받고 있기 때문에 원하는 IP 주소만 허용 목록에 추가하지 못하는 것 같습니다.

Connection matched pg_hba.conf line 95: "host all all all md5"
2021-09-01 21:36:42.132 UTC [8821] FATAL:  password authentication failed for user "postgres"
2021-09-01 21:36:42.132 UTC [8821] DETAIL:  Role "postgres" does not exist.

iptables가 올바르게 설정되도록 수정하려면 어떻게 해야 합니까? 내가 여기서 뭘 잘못했나요?

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT (where x is removed ip addresses)
-A INPUT -s xxx.xxx.xx.xx/xx -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1de8a78b46b8 -j DOCKER
-A FORWARD -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -i br-1de8a78b46b8 -o br-1de8a78b46b8 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -m iprange --src-range 82.208.14.110-82.208.14.119 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5432 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER -d 172.18.0.2/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 2368 -j ACCEPT
-A DOCKER -d 172.18.0.4/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5432 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 5900 -j ACCEPT
-A DOCKER -d 172.18.0.5/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 4444 -j ACCEPT
-A DOCKER -d 172.18.0.8/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.9/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9300 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-1de8a78b46b8 -o br-1de8a78b46b8 -p tcp -m tcp --dport 9200 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-1de8a78b46b8 ! -o br-1de8a78b46b8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-1de8a78b46b8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

편집하다:

내 docker-compose 구성은 다음과 같습니다.

  postgres:
    image: "postgres:12.1"
    env_file:
      - '.env'
    ports:
      - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - postgres:/var/lib/postgresql/data
      - /opt/ghost_postgres:/var/lib/postgres
    networks: 
      - esnet

  redis:
    image: redis:5.0.6-alpine
    command: redis-server --requirepass "${REDIS_PASS}"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    ports:
      - '6379:6379'
    volumes:
      - redis:/var/lib/redis/data
    networks: 
      - esnet


  prosebit:
    build: 
      context: "."
      args:
        - "FLASK_ENV=${FLASK_ENV:-production}"
        - "NODE_ENV=${NODE_ENV:-production}"
    depends_on:
      - "postgres"
      - "redis"
    env_file:
      - ".env"
    ports:
      - "${DOCKER_WEB_PORT:-127.0.0.1:8000}:8000"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
    networks:
      - esnet
      
  web: 
    depends_on:
      - prosebit
    restart: always
    build:
      context: ../nginx #added /deploy for development, remove for production
      dockerfile: Dockerfile
    volumes:
      ...
    ports:
      - 80:80
      - 443:443
    networks:
      - "esnet"


  celery:
    build: 
      context: "."
      args: 
        - "FLASK_ENV=${FLASK_ENV:-production}"
        - "NODE_ENV=${NODE_ENV:-production}"
    command: celery worker -B -l info -A 
    env_file:
      - '.env'
    depends_on:
      - "postgres"
      - "redis"
    env_file:
      - ".env"
    restart: "${DOCKER_RESTART_POLICY:-unless-stopped}"
    stop_grace_period: "${DOCKER_STOP_GRACE_PERIOD:-3s}"
    volumes:
      - "${DOCKER_WEB_VOLUME:-./public:/app/public}"
    networks:
      - "esnet"

답변1

Docker는 docker-compose.yml이 명시적으로 포트 5432를 외부에 공개하도록 요청하기 때문에 방화벽 자체에서 포트를 엽니다.

    ports:
      - '5432:5432' # removed 127.0.0.1: - adding firewalls in iptables

어떤 형태로든 이것이 왜 여기에 있는지는 확실하지 않습니다. 동일한 서비스는 network항상 서로 액세스할 수 있으며 ports지정할 필요가 없다는 점을 기억하세요. ports외부에서만 접근을 허용하도록 지정하세요 .

추신: 또한 Redis 컨테이너를 세상에 노출시켰는데, 이는 아마도 원하는 바가 아닐 수도 있습니다.

관련 정보