无法从外部访问Docker容器

时间:2017-09-12 04:28:20

标签: ubuntu docker firewall iptables

我已经使用IPtable规则设置了Docker容器。但Docker容器无法从外部网络访问。

我在下面提到了iptables规则。如何从172.16.8.0/24网络访问Docker容器。

出于测试目的,我在本地安装了Apache,这个Apache访问外部网络。但码头工人只能从外面无法进入。

# Generated by iptables-save v1.6.0 on Mon Sep 11 23:34:24 2017
*filter
:INPUT DROP [2758:655810]
:FORWARD DROP [949:56692]
:OUTPUT ACCEPT [33529:23757753]
:DOCKER - [0:0]
:DOCKER-INGRESS - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.30.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 172.16.8.0/24 -j ACCEPT
-A INPUT -s 192.168.30.0/24 -p tcp -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-INGRESS
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker_gwbridge -j DOCKER
-A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
-A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
#-A OUTPUT -o ens9 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A DOCKER-INGRESS -j RETURN
-A DOCKER-ISOLATION -i docker_gwbridge -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o docker_gwbridge -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Mon Sep 11 23:34:24 2017
# Generated by iptables-save v1.6.0 on Mon Sep 11 23:34:24 2017
*nat
:PREROUTING ACCEPT [71640:3047957]
:INPUT ACCEPT [239:12927]
:OUTPUT ACCEPT [395:27160]
:POSTROUTING ACCEPT [424:28860]
:DOCKER - [0:0]
:DOCKER-INGRESS - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-INGRESS
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER-INGRESS
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -o docker_gwbridge -m addrtype --src-type LOCAL -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o docker_gwbridge -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i docker_gwbridge -j RETURN
-A DOCKER-INGRESS -p tcp -m tcp --dport 4000 -j DNAT --to-destination 172.18.0.2:4000
-A DOCKER-INGRESS -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.18.0.2:5000
-A DOCKER-INGRESS -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.18.0.2:3000
-A DOCKER-INGRESS -j RETURN
COMMIT
# Completed on Mon Sep 11 23:34:24 2017
# Generated by iptables-save v1.6.0 on Mon Sep 11 23:34:24 2017
*mangle
:PREROUTING ACCEPT [151106:48716814]
:INPUT ACCEPT [57104:28465934]
:FORWARD ACCEPT [23732:18002240]
:OUTPUT ACCEPT [50500:28830985]
:POSTROUTING ACCEPT [71261:46656021]
COMMIT
# Completed on Mon Sep 11 23:34:24 2017

0 个答案:

没有答案
相关问题
最新问题