系统集成Docker
docker宿主机器防火墙的问题
大家好,请问一个docker宿主机器防火墙的问题
想确认一下运行docker容器的苏主机是否必须开启iptables,如下我的测试:
[root@localhost ~]# /etc/init.d/iptables stop
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
[root@localhost ~]# /etc/init.d/iptables status
iptables:未运行防火墙。
[root@localhost ~]# /etc/init.d/docker restart
停止 docker: [确定]
Starting docker: [确定]
[root@localhost ~]# /etc/init.d/iptables status
表格:filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain DOCKER (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 12.17.0.2 tcp dpt:80
表格:nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 12.17.0.0/16 0.0.0.0/0
2 MASQUERADE tcp -- 12.17.0.2 12.17.0.2 tcp dpt:80
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1016 to:12.17.0.2:80
[root@localhost ~]#
想确认一下运行docker容器的苏主机是否必须开启iptables,如下我的测试:
[root@localhost ~]# /etc/init.d/iptables stop
iptables:将链设置为政策 ACCEPT:filter [确定]
iptables:清除防火墙规则: [确定]
iptables:正在卸载模块: [确定]
[root@localhost ~]# /etc/init.d/iptables status
iptables:未运行防火墙。
[root@localhost ~]# /etc/init.d/docker restart
停止 docker: [确定]
Starting docker: [确定]
[root@localhost ~]# /etc/init.d/iptables status
表格:filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain DOCKER (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 12.17.0.2 tcp dpt:80
表格:nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 12.17.0.0/16 0.0.0.0/0
2 MASQUERADE tcp -- 12.17.0.2 12.17.0.2 tcp dpt:80
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
num target prot opt source destination
1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1016 to:12.17.0.2:80
[root@localhost ~]#