Docker 端口转发桥-“没有到主机的路由”

tag-icon tag-icon centos iptables docker
Docker 端口转发桥-“没有到主机的路由”

在 Centos7 上,基本 Docker 端口转发无法通过网桥工作。将网络更改为“主机”可以解决问题,但我需要运行同一容器的多个实例并将它们绑定到不同的端口 - 从而导致端口冲突。

docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                          NAMES
03fb34bc3401        scality/s3server    "/usr/src/app/docker…"   9 minutes ago       Up 9 minutes        192.168.5.176:8000->8000/tcp   static_cloud-media_1

撰写

version: '2'
services:
  media:
    image: scality/s3server
    ports:
      - "192.168.5.176:8000:8000"
    networks:
      - nw-cloud
    volumes:
      - /store/media/data:/usr/src/app/localData
      - /store/media/localMetadata:/usr/src/app/localMetadata
      - /store/static/locationConfig.json:/usr/src/app/locationConfig.json
    environment:
      - SCALITY_ACCESS_KEY_ID=newAccessKey
      - LOG_LEVEL=trace
      - LISTEN_ADDR=0.0.0.0
      - SCALITY_SECRET_ACCESS_KEY=newSecretKey
      - S3DATA=multiple
      - S3BACKEND=file
      - S3DATAPATH=/usr/src/app/localData
      - S3METADATAPATH=/usr/src/app/localMetadata

networks:
  nw-srl-cloud:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.6.0/24
          gateway: 192.168.6.254

错误 - 没有到主机的路由

[root@localhost ~]# curl 192.168.5.176:8000
curl: (7) Failed connect to 192.168.5.176:8000; No route to host

容器内的连接正在工作

[root@localhost ~]# docker exec static_srl-cloud-812-media_1 curl localhost:8000
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   174  100   174    0     0   9643      0 --:--:-- --:--:-- --:--:-- 10235
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource></Resource><RequestId>9a280cedc9478cb7629e</RequestId></Error>[root@localhost ~]#

从表中跟踪

Oct  5 17:51:28 localhost kernel: TRACE: raw:OUTPUT:policy:5 IN= OUT=lo SRC=192.168.5.176 DST=192.168.5.176 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=lo SRC=192.168.5.176 DST=192.168.5.176 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: mangle:OUTPUT_direct:return:1 IN= OUT=lo SRC=192.168.5.176 DST=192.168.5.176 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: mangle:OUTPUT:policy:2 IN= OUT=lo SRC=192.168.5.176 DST=192.168.5.176 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:OUTPUT:rule:1 IN= OUT=lo SRC=192.168.5.176 DST=192.168.5.176 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:OUTPUT_direct:return:1 IN= OUT=lo SRC=192.168.5.176 DST=192.168.5.176 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:OUTPUT:rule:2 IN= OUT=lo SRC=192.168.5.176 DST=192.168.5.176 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:DOCKER:rule:4 IN= OUT=lo SRC=192.168.5.176 DST=192.168.5.176 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: filter:OUTPUT:rule:1 IN= OUT=lo SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: filter:OUTPUT_direct:return:1 IN= OUT=lo SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: filter:OUTPUT:policy:2 IN= OUT=lo SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: security:OUTPUT:rule:1 IN= OUT=lo SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: security:OUTPUT_direct:return:1 IN= OUT=lo SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: security:OUTPUT:policy:2 IN= OUT=lo SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: mangle:POSTROUTING_direct:return:1 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POSTROUTING:rule:4 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POSTROUTING_direct:return:1 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POSTROUTING:rule:5 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POSTROUTING_ZONES_SOURCE:return:1 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POSTROUTING:rule:6 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POSTROUTING_ZONES:rule:3 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POST_public:rule:1 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POST_public_log:return:1 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POST_public:rule:2 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POST_public_deny:return:1 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POST_public:rule:3 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0
Oct  5 17:51:28 localhost kernel: TRACE: nat:POST_public_allow:rule:1 IN= OUT=br-a0a2d547c1de SRC=192.168.5.176 DST=192.168.6.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25606 DF PROTO=TCP SPT=58720 DPT=8000 SEQ=50075014 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A007671800000000001030307) UID=0 GID=0

iptables 转储

*mangle
:PREROUTING ACCEPT [5851:470710]
:INPUT ACCEPT [5851:470710]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10139:1306182]
:POSTROUTING ACCEPT [10139:1306182]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:PRE_trusted - [0:0]
:PRE_trusted_allow - [0:0]
:PRE_trusted_deny - [0:0]
:PRE_trusted_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp0s25 -g PRE_public
-A PREROUTING_ZONES -i docker0 -j PRE_trusted
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_trusted -j PRE_trusted_log
-A PRE_trusted -j PRE_trusted_deny
-A PRE_trusted -j PRE_trusted_allow
COMMIT
# Completed on Mon Oct  5 17:55:52 2020
# Generated by iptables-save v1.4.21 on Mon Oct  5 17:55:52 2020
*security
:INPUT ACCEPT [5845:468790]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10139:1306182]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Oct  5 17:55:52 2020
# Generated by iptables-save v1.4.21 on Mon Oct  5 17:55:52 2020
*raw
:PREROUTING ACCEPT [491:41877]
:OUTPUT ACCEPT [458:55884]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -p tcp -m tcp --dport 8000 -j TRACE
-A PREROUTING -p tcp -m tcp --sport 8000 -j TRACE
-A PREROUTING -i br-a0a2d547c1de -j TRACE
-A PREROUTING -i veth2497475 -j TRACE
-A PREROUTING -d 192.168.6.1/32 -j TRACE
-A OUTPUT -j OUTPUT_direct
-A OUTPUT -p tcp -m tcp --dport 8000 -j TRACE
-A OUTPUT -p tcp -m tcp --sport 8000 -j TRACE
-A OUTPUT -d 192.168.6.1/32 -j TRACE
COMMIT
# Completed on Mon Oct  5 17:55:52 2020
# Generated by iptables-save v1.4.21 on Mon Oct  5 17:55:52 2020
*nat
:PREROUTING ACCEPT [102:15629]
:INPUT ACCEPT [96:13709]
:OUTPUT ACCEPT [9:679]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:POST_trusted - [0:0]
:POST_trusted_allow - [0:0]
:POST_trusted_deny - [0:0]
:POST_trusted_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:PRE_trusted - [0:0]
:PRE_trusted_allow - [0:0]
:PRE_trusted_deny - [0:0]
:PRE_trusted_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j OUTPUT_direct
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.6.0/24 ! -o br-a0a2d547c1de -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-87c6064064c5 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.6.1/32 -d 192.168.6.1/32 -p tcp -m tcp --dport 8000 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A DOCKER -i br-a0a2d547c1de -j RETURN
-A DOCKER -i br-87c6064064c5 -j RETURN
-A DOCKER -i docker0 -j RETURN
-A DOCKER -d 192.168.5.176/32 ! -i br-a0a2d547c1de -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.6.1:8000
-A POSTROUTING_ZONES -o enp0s25 -g POST_public
-A POSTROUTING_ZONES -o docker0 -j POST_trusted
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A POST_public_allow ! -i lo -j MASQUERADE
-A POST_trusted -j POST_trusted_log
-A POST_trusted -j POST_trusted_deny
-A POST_trusted -j POST_trusted_allow
-A PREROUTING_ZONES -i enp0s25 -g PRE_public
-A PREROUTING_ZONES -i docker0 -j PRE_trusted
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A PRE_trusted -j PRE_trusted_log
-A PRE_trusted -j PRE_trusted_deny
-A PRE_trusted -j PRE_trusted_allow
COMMIT
# Completed on Mon Oct  5 17:55:52 2020
# Generated by iptables-save v1.4.21 on Mon Oct  5 17:55:52 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9743:1260922]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDI_trusted - [0:0]
:FWDI_trusted_allow - [0:0]
:FWDI_trusted_deny - [0:0]
:FWDI_trusted_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:FWDO_trusted - [0:0]
:FWDO_trusted_allow - [0:0]
:FWDO_trusted_deny - [0:0]
:FWDO_trusted_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:IN_trusted - [0:0]
:IN_trusted_allow - [0:0]
:IN_trusted_deny - [0:0]
:IN_trusted_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-a0a2d547c1de -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-a0a2d547c1de -j DOCKER
-A FORWARD -i br-a0a2d547c1de ! -o br-a0a2d547c1de -j ACCEPT
-A FORWARD -i br-a0a2d547c1de -o br-a0a2d547c1de -j ACCEPT
-A FORWARD -o br-87c6064064c5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-87c6064064c5 -j DOCKER
-A FORWARD -i br-87c6064064c5 ! -o br-87c6064064c5 -j ACCEPT
-A FORWARD -i br-87c6064064c5 -o br-87c6064064c5 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A DOCKER -d 192.168.6.1/32 ! -i br-a0a2d547c1de -o br-a0a2d547c1de -p tcp -m tcp --dport 8000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-a0a2d547c1de ! -o br-a0a2d547c1de -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-a0a2d547c1de -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A FORWARD_IN_ZONES -i enp0s25 -g FWDI_public
-A FORWARD_IN_ZONES -i docker0 -j FWDI_trusted
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o enp0s25 -g FWDO_public
-A FORWARD_OUT_ZONES -o docker0 -j FWDO_trusted
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_trusted -j FWDI_trusted_log
-A FWDI_trusted -j FWDI_trusted_deny
-A FWDI_trusted -j FWDI_trusted_allow
-A FWDI_trusted -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public_allow -j ACCEPT
-A FWDO_trusted -j FWDO_trusted_log
-A FWDO_trusted -j FWDO_trusted_deny
-A FWDO_trusted -j FWDO_trusted_allow
-A FWDO_trusted -j ACCEPT
-A INPUT_ZONES -i enp0s25 -g IN_public
-A INPUT_ZONES -i docker0 -j IN_trusted
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -s 192.168.0.0/16 -j ACCEPT
-A IN_public_allow -s 192.168.5.176/32 -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 8000 -m conntrack --ctstate NEW -j ACCEPT
-A IN_trusted -j IN_trusted_log
-A IN_trusted -j IN_trusted_deny
-A IN_trusted -j IN_trusted_allow
-A IN_trusted -j ACCEPT

接口

[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:21:cc:b6:a4:8a brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.176/24 brd 192.168.5.255 scope global enp0s25
       valid_lft forever preferred_lft forever
3: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 10:0b:a9:3e:28:88 brd ff:ff:ff:ff:ff:ff
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 02:42:f5:51:12:68 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
61: br-eb4f7b9806af: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 02:42:37:2e:a2:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.6.254/24 brd 192.168.6.255 scope global br-eb4f7b9806af
       valid_lft forever preferred_lft forever
63: veth88d5040: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-eb4f7b9806af state UP
    link/ether f6:05:46:7d:44:40 brd ff:ff:ff:ff:ff:ff

路由

default via 192.168.5.254 dev enp0s25  proto static  metric 100
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1
192.168.5.0/24 dev enp0s25  proto kernel  scope link  src 192.168.5.176  metric 100
192.168.6.0/24 dev br-eb4f7b9806af  proto kernel  scope link  src 192.168.6.254

相关内容