Docker

docker & docker-compose 一堆坑 FROM alpine RUN apk –no-cache upgrade RUN apk update &&\ apk add bash

Use chown 1000 xxxoo xxxooo file name logtest: build: context: logtest/ volumes: - ./logtest/logs:./logs:rw networks: - elk command: | /bin/sh -c '/bin/sh -s << EOF echo "Start filebeat...." filebeat run -c ./filebeat.yml -v & sleep 2 while [ ! -f ./logs/filebeat ] do sleep 2 done chown 1000 ./logs/filebeat tail -f /dev/null EOF'

docker-compose.yml services: elasticsearch: logstash: kibana: nginx: docker-compose run ngnix docker-compose run kibana

restart docker service iptables be reset Docker Basic rule (New Docker maybe change somethings) *nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype –dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype –dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE COMMIT # Completed on Sun Sep 20 17:35:31 2015 # Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015 *filter :INPUT ACCEPT [139291:461018923] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127386:5251162] :DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT COMMIT # Completed on Sun Sep 20 17:35:31 2015 ...

http://blog.pulipuli.info/2011/07/ http://linux.vbird.org/linux_server/0250simple_firewall.php iptables \[-AI 鏈\] \[-io 網路介面\] \[-p tcp,udp\] \\ \> \[-s 來源IP/網域\] \[--sport 埠口範圍\] \\ \> \[-d 目標IP/網域\] \[--dport 埠口範圍\] -j \[ACCEPT|DROP|REJECT\] 選項與參數： \--sport 埠口範圍：限制來源的埠口號碼，埠口號碼可以是連續的，例如 1024:65535 \--dport 埠口範圍：限制目標的埠口號碼。 \[root@www ~\]# iptables -A INPUT \[-m state\] \[--state 狀態\] 選項與參數： \-m ：一些 iptables 的外掛模組，主要常見的有： state ：狀態模組 mac ：網路卡硬體位址 (hardware address) \--state ：一些封包的狀態，主要有： INVALID ：無效的封包，例如資料破損的封包狀態 ESTABLISHED：已經連線成功的連線狀態； NEW ：想要新建立連線的封包狀態； RELATED ：這個最常用！表示這個封包是與我們主機發送出去的封包有關 範例：只要已建立或相關封包就予以通過，只要是不合法封包就丟棄 \[root@www ~\]# iptables -A INPUT -m state \\ \> \--state RELATED,ESTABLISHED -j ACCEPT \[root@www ~\]# iptables -A INPUT -m state --state INVALID -j DROP https://www.booleanworld.com/depth-guide-iptables-linux-firewall/ https://www.lammertbies.nl/comm/info/iptables.html ...