LINUX.ORG.RU

История изменений

Исправление Qwentor, (текущая версия) : 

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3031 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8888 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8086 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8083 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3000 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4002 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4001 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4000 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8001 state NEW
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,ACK/FIN
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8000

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:8126
ACCEPT     udp  --  anywhere             172.17.0.2           udp dpt:8125
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2024
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2023
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2004
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:cfinger
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere




Правила блокировки mysql тут нет (удалил), т.к. не работает.
Но вообще же вроде стоит не пускать все что явно не разрешено.
По крайней мере если поднимаю веб-сервер на произвольном порту - доступа нет - только на явно прописанных. А вот порт MariaDB сразу открытый. Хз в чем дело, не пойму пока.

Исправление Qwentor, : 

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3031 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8888 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8086 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8083 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3000 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4002 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4001 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4000 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8001 state NEW
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,ACK/FIN
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8000

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:8126
ACCEPT     udp  --  anywhere             172.17.0.2           udp dpt:8125
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2024
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2023
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2004
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:cfinger
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere




Правило блокировки mysql тут нет (удалил), т.к. не работает.
Но вообще же вроде стоит не пускать все что явно не разрешено.
По крайней мере если поднимаю веб-сервер на произвольном порту - доступа нет - только на явно прописанных. А вот порт MariaDB сразу открытый. Хз в чем дело, не пойму пока.

Исходная версия Qwentor, : 

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3031 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8888 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8086 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8083 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3000 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4002 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4001 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4000 state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8001 state NEW
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,ACK/FIN
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8000

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:8126
ACCEPT     udp  --  anywhere             172.17.0.2           udp dpt:8125
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2024
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2023
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:2004
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:cfinger
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere




Правило блокировки mysql тут нет, т.к. не работает.
Но вообще же вроде стоит не пускать все что явно не разрешено.
По крайней мере если поднимаю веб-сервер на произвольном порту - доступа нет - только на явно прописанных. А вот порт MariaDB сразу открытый. Хз в чем дело, не пойму пока.