控制Docker中的传出stream量

我有4个容器运行Ubuntu 14.04一个作为主要和其他小孩容器。

我还创build了一个连接所有4个容器的内部networking

主容器连接到默认桥接networking以访问互联网。

问题是我必须通过从子容器到主容器的所有stream量。 所有入站和出站到子容器只能通过主容器

$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c7899db54c0b ubuntu-14.04 "/bin/bash" 46 hours ago Up About an hour second-child 3032f73cc65e ubuntu-14.04 "/bin/bash" 46 hours ago Up About an hour first-child 9ba6b044b89d ubuntu-14.04 "/bin/bash" 46 hours ago Up About an hour third-child 10c2b04ab739 ubuntu-14.04 "/bin/bash" 46 hours ago Up About an hour main-node $ docker network inspect bridge [ { "Name": "bridge", "Id": "d1647c7b23e963d4f18fda4c3681b3d56d97904df44088faf78433c2e49a2cac", "Created": "2017-09-06T05:51:54.48611446Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "10c2b04ab739a50213faa82fdcd82a370554e3629fd7d1113b3c1126cecfca0a": { "Name": "main-node", "EndpointID": "9f294a17b8f13646bea6b2d255fb4d56484ef469ef9439d2b4de3b90bcc659e6", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] $ docker network inspect internal-network [ { "Name": "internal-network", "Id": "fc50dedabed2a94b0b39b6c955c4d33a8cb00ebcb212e214eeed72fd9d6c4ec6", "Created": "2017-09-04T12:16:59.866830342Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "10.1.1.0/24", "Gateway": "10.1.1.1" } ] }, "Internal": true, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "10c2b04ab739a50213faa82fdcd82a370554e3629fd7d1113b3c1126cecfca0a": { "Name": "main-node", "EndpointID": "ad415707d1ceab0b25cbdc0e1cdc64ac569ea2a0000b899cb1ff7ab0e1320993", "MacAddress": "02:42:0a:01:01:05", "IPv4Address": "10.1.1.5/24", "IPv6Address": "" }, "3032f73cc65eb1640a56a851ac3238032b3758d88b4d3340da715528f38f5b4a": { "Name": "first-child", "EndpointID": "52e692be3f3f67a88915befa149bde85a2843015a7d323673e8f2f005758ee0c", "MacAddress": "02:42:0a:01:01:03", "IPv4Address": "10.1.1.3/24", "IPv6Address": "" }, "9ba6b044b89dfb1d29e4b36f42a0bb4f1a1c2ab58158fd73f117dda2d732e453": { "Name": "third-child", "EndpointID": "5e1da99363487ca27bf22dbf83f50316bdfcdcc3af9110573eaeae7dd82e5422", "MacAddress": "02:42:0a:01:01:04", "IPv4Address": "10.1.1.4/24", "IPv6Address": "" }, "c7899db54c0ba235ee6b48628759e609f84aa1c7c1dd3663052fc79da6d9ac73": { "Name": "second-child", "EndpointID": "7f8d755ff17a7a7b0b7945c4ff65406d81a6470c3db698cb5ab27b7aeacfca22", "MacAddress": "02:42:0a:01:01:02", "IPv4Address": "10.1.1.2/24", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] 

编辑1：

我曾尝试在iptable中添加MASQUERADE规则，但它不工作

运用

 sudo iptables -t nat -A POSTROUTING -s 10.1.1.1 -d 172.17.0.0 -j MASQUERADE 

在这之后我的iptables看起来像这样

 sudo iptables -t nat -L Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 anywhere MASQUERADE all -- 172.19.0.0/16 anywhere MASQUERADE all -- 172.18.0.0/16 anywhere MASQUERADE all -- 10.1.1.1 172.17.0.1 

• 直接从同一networking中的机器访问kubernetes窗格
• 在Docker容器（在VM中）无法启动Android模拟器x86_64

• 如何防止数据库docker被重build并丢失生产数据
• Docker中的默认参数
• 由于内存不足而死亡的任何Docker钩子
• 访问Docker主机上的服务
• org.apache.spark.sql.SQLContext无法加载文件
• 如何连接到Dokku主机上的MongoDB？
• 无法在localhost中运行docker项目
• 如何在构build时在docker-compose中指定$ docker build –network =“host”模式
• 由于僵尸进程，无法启动泊坞窗。 如何杀死已经失效的进程？