Docker容器与外部网络的链接-与外部网络链接
iptables -t filter -L -n与iptables -L -n
root@ubuntu:~#iptables -t filter -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.100.4 192.168.100.2 tcp dpt:80
ACCEPT tcp -- 192.168.100.2 192.168.100.4 tcp spt:80
root@ubuntu:~#
root@ubuntu:~#iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.100.4 192.168.100.2 tcp dpt:80
ACCEPT tcp -- 192.168.100.2 192.168.100.4 tcp spt:80
root@ubuntu:~#
说明:
1)iptables -t filter -L -n和iptables -L -n是一样的;
启动一个容器cct5
root@ubuntu:~#docker run -it -p 80 --name cct5 cct
root@70c0097d4638:/# nginx
root@70c0097d4638:/# root@ubuntu:~#
root@ubuntu:~#docker port cct5
80/tcp -> 0.0.0.0:32768
root@ubuntu:~# curl -I 127.0.0.1:32768
HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Sun, 02 Jul 2017 13:08:07 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 04 Mar 2014 11:46:45 GMT
Connection: keep-alive
ETag: "5315bd25-264"
Accept-Ranges: bytes
root@ubuntu:~#iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.100.4 192.168.100.2 tcp dpt:80
ACCEPT tcp -- 192.168.100.2 192.168.100.4 tcp spt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.100.2 tcp dpt:80
root@ubuntu:~#
说明:
1)curl -I 127.0.0.1:32768可以反问;
2)在另外一台机器上curl -I 192.168.2.9:32768,也是可以访问;
启动一个容器cct6
root@ubuntu:~#docker run -it -p 80 --name cct6 cct
root@3fa4966fd465:/#ifconfig
eth0 Link encap:Ethernet HWaddr02:42:c0:a8:64:03
inet addr:192.168.100.3 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::42:c0ff:fea8:6403/64 Scope:Link
UPBROADCAST RUNNING MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0frame:0
TXpackets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RXbytes:508 (508.0 B) TX bytes:508 (508.0B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UPLOOPBACK RUNNING MTU:65536 Metric:1
RXpackets:0 errors:0 dropped:0 overruns:0 frame:0
TXpackets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RXbytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@3fa4966fd465:/# nginx
root@3fa4966fd465:/# root@ubuntu:~#
root@ubuntu:~#docker port cct6
80/tcp -> 0.0.0.0:32769
iptables设置从192.168.2.10访问 192.168.100.3的IP禁止掉
root@ubuntu:~#iptables -I DOCKER -s 192.168.2.10 -d 192.168.100.3 -p TCP --dport 80 -j DROP
root@ubuntu:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
DROP tcp -- 192.168.2.10 192.168.100.3 tcp dpt:80
ACCEPT tcp -- 192.168.100.4 192.168.100.2 tcp dpt:80
ACCEPT tcp -- 192.168.100.2 192.168.100.4 tcp spt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.100.2 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.100.3 tcp dpt:80
root@ubuntu:~#
说明:
1)iptables设置从192.168.2.10访问 192.168.100.3的IP禁止掉
在另外一台机器上执行(192.168.2.10)
root@ubuntu:~#curl -I 192.168.2.9:32769
curl: (7) Failed to connect to 192.168.2.9 port32769: Connection timed out
root@ubuntu:~#
说明:
1)iptables设置后,确实无法访问;