Centos7 Docker Iptables rule chain description

1. Switch the Centos7 firewall to iptables

# close the firewall
systemctl stop firewalld.service             # stop the firewall
systemctl disable firewalld.service          Disable firewall startup
systemctl mask firewalld.service             # remove firewall
# iptables installation
yum install -y iptables-services        # iptables installation
vim /etc/sysconfig/iptables              Edit the firewall configuration file

systemctl restart iptables.service      Restart the firewall for the configuration to take effect
systemctl enable iptables.service    Configure firewall startup

# Other related commands
systemctl disable iptables    Disable the iptables service
systemctl stop iptables        # suspension of service
systemctl enable iptables    # disallow iptables
systemctl start iptables        # Enable service
Copy the code

Docker modifies the iptables configuration

# NAT chain rule modification description

# Generated by iptables-save v1.4.21 on Sun Mar 22 22:30:43 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [8:496]
:POSTROUTING ACCEPT [8:496]
:DOCKER - [0:0]
If the destination address of the request is a native address, then the request is forwarded to the DOCKER chain for processing
#-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
If the destination address of the request does not match 127.0.0.0/8 and the destination address is a native address, then the request will be forwarded to the DOCKER chain for processing
#-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
For requests from 172.17.0.0/16 that are not in the same segment as Docker0, the POSTROUTING chain will forward the request to the extrane disguised as a host request-a POSTROUTING -s 172.17.0.0/16! -o Docker0 -J MASQUERADE -A POSTROUTING -s 172.20.0.0/16! -o br-cb8fb8f7ba15 -j MASQUERADE# open port
# -a POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p TCP -m TCP --dport 80 -j MASQUERADE
The DOCKER chain returns requests from the docker0 device to the next level of processing
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-cb8fb8f7ba15 -j RETURN
#-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80
COMMIT
# Completed on Sun Mar 22 22:30:43 2020
# Generated by iptables-save v1.4.21 on Sun Mar 22 22:30:43 2020


#filter chain modification description
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [201:28569]
# DOCKER chain
:DOCKER - [0:0]
# DOCKER - ISOLATION - STAGE 1 chain
:DOCKER-ISOLATION-STAGE-1 - [0:0]
# DOCKER - ISOLATION - STAGE - 2 chains
:DOCKER-ISOLATION-STAGE-2 - [0:0]
# DOCKER - USER chain
:DOCKER-USER - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# FORWARD chain requests jump to docker-user chain processing
-A FORWARD -j DOCKER-USER
# FORWARD chain requests jump to docker-Isolation-stage-1 chain processing
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
If the destination is the network segment in which Docker0 is located, and the connection is already established or related to the connection already established, the request will be accepted
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# FORWARD link request target docker0 network segment, then jump to DOCKER chain processing
-A FORWARD -o docker0 -j DOCKER
If the destination network segment is not docker0's network segment, the request will be received.
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
The FORWARD chain request is from the network segment where docker0 is located, and the destination network segment is docker0
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-cb8fb8f7ba15 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-cb8fb8f7ba15 -j DOCKER
-A FORWARD -i br-cb8fb8f7ba15 ! -o br-cb8fb8f7ba15 -j ACCEPT
-A FORWARD -i br-cb8fb8f7ba15 -o br-cb8fb8f7ba15 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# A DOCKER -d 172.17.0.2/32! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
If a docker-isolation-stage-1 chain request comes from the segment where Docker0 is located, and the destination segment does not belong to the segment where Docker0 is located, then the docker-isolation-stage-2 chain will be processed
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-cb8fb8f7ba15 ! -o br-cb8fb8f7ba15 -j DOCKER-ISOLATION-STAGE-2
# docker-Isolation-stage-1 chain unprocessed requests are returned to the previous layer to continue processing
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
Discard the request if the destination network segment is the network segment where Docker0 resides
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-cb8fb8f7ba15 -j DROP
# docker-Isolation-stage-2 chain unprocessed requests are returned to the upper level to continue processing
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
Unprocessed requests from the # docker-user chain are returned to the upper level for further processing
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Mar 22 22:30:43 2020


Copy the code

Centos7 Docker Iptables rule chain description

Related Posts

Take a step through how connectors are designed in Tomcat

Stop reinventing the wheel, this open source tool works!

Envoy Quick Primer