Correct modification steps for Docker's default network segment

background

A colleague is working on his security project and needs to deploy his secret weapon on an AWS server. The secret weapon is deployed through Docker. Before deployment, the server can be logged in through the intranet and extranet ssh of the jump server. After deployment, the server can only be logged in through the extranet ssh.......; the symptoms are just like this, how to prescribe the medicine depends on the medical skills.....

Check your heart journey

1. Before deploying the secret weapon, it can be used in the internal and external networks; after deployment, it can only be used in the external network. Looking at this symptom, it is a network firewall problem, so~~~

1) iptables -F

2) setenforce 0

3) On AWS, set the security group of this server to inbound 0.0.0.0 (this is purely for testing, don’t do it in a formal environment~~~)

2. Is the ssh failure because the ssh configuration file has been modified? Because the port has been changed, is there a configuration in the ssh configuration file that controls whether internal and external networks can log in? So~~~

vim /etc/ssh/sshd_config and make some random changes (this shows that I don’t know enough about ssh and I’m not familiar with the configuration files, so I need to learn)

3. What the hell is this? The network is OK, and the security group is fine. For some reason, I thought of routing. I used route -n to take a look. Wow, so many routes. When I saw these routes, one of them was 172.29.0.0 (the network segment of our jump server is very similar to this one). I vaguely felt that there was a problem here (a woman's intuition is not only used to judge whether her boyfriend has a dog outside, but also whether he loves her; her intuition is still quite accurate here, haha); so~~~

 route -n
 route del -net 172.22.32.0 netmask 255.255.255.0
 route del -net 172.23.32.0 netmask 255.255.255.0
 ......

As long as all the routes related to the container are killed, and then ssh to the intranet from the jump server, wow~~~wow~~~it works, so excited~~~~

4. It was confirmed that it was the problem of that route. The network segment allocated by this container conflicted with the network segment of the jump server, so ~~~~

 route add -net 172.22.32.0 netmask 255.255.255.0
 ......

Add all the routes you just deleted except the conflicting one. Now it's time to solve this problem.

The solution at that time

After thinking about it, since there is a conflict, I must change the network segment of this container. How to change it? I used an extremely stupid method. I stopped and deleted this container, and restarted it with docker-compose. It reallocated a new network segment and there was no conflict.

Fundamental solution

Before starting the container, change the entire Docker network to one that does not conflict with our own network segment, so that Docker will always only allocate the network segment we set for it.

Operation steps: Modify docker.json to change the network segment of the entire docker. The original network segment was 172, and now I want to change it to 192

1) vim /etc/docker/daemon.json (if this file does not exist, create it yourself)

{
 "bip":"192.168.0.1/24"
}

2) Restart Docker

systemctl restart docker

3) Recheck the network segment

Note: You should think about this when initially planning to use the Docker container, and plan what network segment to use; the above method requires restarting Docker and the container;

doubt

Is there any better way to modify the network segment without stopping or deleting the container? (I will add more after I have done my research)

Summarize

1: Not familiar with the ssh configuration file (I need to go through it systematically sometime)

2: Be familiar with the network, especially routing. To be honest, I still can't explain the specific role of routing. I can only understand it intuitively. I just know that I can't do without it (after I finish the PMP exam during this period, I will start reading those books on Cisco. I won't talk about the certification, but I will read those books carefully first to strengthen my network)

3: Not familiar with Docker network mode (read the official documentation of Docker network carefully in the next period of time)

Well, that’s all for this article. I hope the content of this article will be of certain reference value to your study or work. Thank you for your support of 123WORDPRESS.COM.