问题
My server has two network interfaces, eth0 and wlan0, one connected to the internet and the other to an internal network. The current solution of exposing Docker container ports with docker-compose to a specific interface is to use:
version: '2'
services:
mosquitto:
ports:
- "192.168.0.1:1883:1883"
This makes it brittle since the IP addresses are distributed via DHCP. Several devices are used, of which each may have a different IP address. Therefore, is it possible to expose ports to only a specific interface? In addition, everything runs on Resin.io, limiting the configuration of iptables and co.
回答1:
You can address either of the two blockers mentioned as such:
With regards to the dynamic DHCP IPs, you can follow this resin.io guide about setting up static IPs: https://docs.resin.io/reference/resinOS/network/2.x/#setting-a-static-ip. After setting up a static ip, you should be able to use it in the ports configuration.
Another option is to use iptables, within your mosquitto application container. This can be achieved by:
a) setting the network_mode: host and privileged: true settings for the mosquitto service
b) installing iptables as part of a RUN instruction in your Dockerfile (e.g. RUN apt-get update && apt-get install iptables)
c) configuring iptables (e.g. iptables -A INPUT -i eth0 -p tcp --destination-port 1883 -j DROP to drop connections to port 1883 on the wlan0 interface)
As a side-note, I'd encourage you to have a look at our community forum (https://forums.resin.io) for any resin.io questions you might have. Our user base is pretty active there and chances are that more people will have a similar question or helpful suggestions for you.
Thanks!
来源:https://stackoverflow.com/questions/50304842/is-it-possible-to-expose-docker-ports-to-a-specific-interface