Usizo, Indlela engcono kakhulu yokusetha i-docker ne-firewall ku-vps ?

Ngimusha nge-docker, okwamanje ngifuna ukumisa i-docker ku-vps ngokulandela lesi sifundo [https://www.howtoforge.com/how-to-install-and-use-nginx-proxy-manager/ ](https://www.howtoforge.com/how-to-install-and-use-nginx-proxy-manager/) ukuze uhlelo lwami lokusetha lube kanje :

vps ubuntu 22.04, i-wireguard ye-vpn, ufw ye-firewall :
Umphathi wommeleli we-nginx (NPM) ukuphatha i-http, https, isitifiketi se-ssl (imbobo eveziwe engu-81)

i-portiner yokuphatha i-docker (ichweba elidaluliwe 9443)

ghost, esinye isitsha sami sizosebenzisa inethiwekhi ye-docker futhi sikhulume ngqo nomphathi we-nginx wommeleli njengokufundisa nokubhala isizinda esingaphansi ngokufanele.
Angithandi ukuveza i-port 81, 9443 esidlangalaleni ngakho ngenza umthetho we-ufw futhi ngivumele i-vpn yasendaweni kuphela engakwazi ukuxhuma kuleyo mbobo.

Inkinga yami isitsha se-docker sibonakala singawunaki umthetho we-ufw futhi senze ichweba lisafinyeleleka nge-ip yomphakathi.
Ngizamile [https://github.com/chaifeng/ufw-docker](https://github.com/chaifeng/ufw-docker) futhi ilungisa inkinga ye-portainer kanye ne-NPM.. kodwa isipoki, nesinye isiqukathi sami sihlulekile ukuxhuma nomphathi wommeleli we-nginx uma ngandlela thize ibhokisi liqalwe kabusha noma isiqukathi siqale kabusha.

umsebenzi wami njengamanje udalulwa isipoki, esinye isiqukathi sokusingatha ichweba bese simepha ku-NPM ngekheli le-IP. kuyasebenza kodwa kuzwakala kungalungile ngoba njengoba isibalo sekhonteyna sikhula nezidingo zechweba zizokwanda.

Liyini ikhambi elihlanzekile lalokhu? ngiyabonga
I-Docker ifaka umthetho wayo wokuqala ngaphambi kwesikhathi kuma-iptables, kokuthi PREROUTING. Ungabuka imithetho nge:

iptables -t nat -S

i-ufw ivamise ukubeka imithetho kokuthi INPUT engemva kwakho kokubili UKUQINISEKISA KANYE NOPHAMBILI!

Kukhona izindawo ezimbili ku-PREROUTING ezingaphambi kwe-nat nokho! eluhlaza kanye nomhlwenga. UMangle angenza izinto eziningi INPUT engayenza noma yikanjani, ukuze ugcine amaphakethe angenayo esibonakalayo somphakathi ukuthi angafinyeleli kunethiwekhi ye-docker nhlobo ngokwenza imithetho yesixhumi esibonakalayo se-pub njenge:

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 9443 -j YAMUKELA

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 81 -j YAMUKELA

# Ngakho-ke ungazikhiyeli ngaphandle kwe-ssh:

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 22 -j YAMUKELA

Bese ulahla yonke i-tcp ngemuva kokwamukela kwakho kusixhumi esibonakalayo se-pub (ungakhohlwa udp):

iptables -t mangle -A PREROUTING -i eth0 -p tcp -j DROP

Ukuze uthole ireferensi njengemihlahlandlela umthetho olinganayo we-INPUT ungabukeka kanje:

iptables -A INPUT -i eth0 -p tcp --dport 22 -j YAMUKELA

ucabanga ukuthi igama lakho lesixhumi esibonakalayo ngu-eth0 kunjalo. Shintsha emithethweni uma kudingeka :)


Okuhlukile yilokho okuphakanyiswe yi-hypgn0sis ngokusebenzisa iketango le-DOCKER-USER. Nokho lokho ngeke kusebenze kahle futhi amaphakethe asafinyelela kunethiwekhi (okuhlanganisa nokuvumayo kwe-FORWARD). Futhi i-ufw ne-firewalld izophazamisa imithetho yakho ye-iptables ngaphandle kokuthi uyikhubaze noma uyikhiphe.