My issue is that i’m getting hammered on my vps from china ip’s on my SQL server. The vps is running Ubuntu 16.04. I have used an iptables config where i could easily open additional ports without interfering with the docker rules. The problem is i can’t seem to block any specific ip’s on the ports opened with docker. My iptables curently looks like this:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :FILTERS - [0:0] :DOCKER-USER - [0:0] -F INPUT -F DOCKER-USER -F FILTERS -A INPUT -i lo -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT -A INPUT -j FILTERS -A DOCKER-USER -i ens33 -j FILTERS -A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT -A FILTERS -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A FILTERS -j REJECT --reject-with icmp-host-prohibited
I found this tutorial: https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables/ It explains how to get a list of chinese ip’s and block them in the iptables, using this line:
-A INPUT -p tcp -m set --match-set china src -j DROP
Using this i got it working blocking ping requests adding it as one of the first rules. But no matter what i seem to do i can’t get it to block ip’s on the ports opened by docker.
I saw that you could disable iptables modification by docker, but i really like the ease of not having to manually open all ports my containers uses. Is there a way to add the line above as a global rule overriding all rules docker makes?
Any help is apreciated.