docker集装箱不能从外面访问

我已经build立了Dockable容器与IPtable规则。 但是Docker容器不能从外部networking访问。

我已经提到了下面的iptables规则。 如何从172.16.8.0/24networking访问Docker容器。

为了testing目的,我在本地安装了Apache,这个Apache访问外部networking。 但docker工人只能从外面访问。 

# Generated by iptables-save v1.6.0 on Mon Sep 11 23:34:24 2017 *filter :INPUT DROP [2758:655810] :FORWARD DROP [949:56692] :OUTPUT ACCEPT [33529:23757753] :DOCKER - [0:0] :DOCKER-INGRESS - [0:0] :DOCKER-ISOLATION - [0:0] :DOCKER-USER - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.30.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -s 172.16.8.0/24 -j ACCEPT -A INPUT -s 192.168.30.0/24 -p tcp -j ACCEPT -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-INGRESS -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker_gwbridge -j DOCKER -A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT -A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP #-A OUTPUT -o ens9 -p tcp -m tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT -A DOCKER-INGRESS -j RETURN -A DOCKER-ISOLATION -i docker_gwbridge -o docker0 -j DROP -A DOCKER-ISOLATION -i docker0 -o docker_gwbridge -j DROP -A DOCKER-ISOLATION -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Mon Sep 11 23:34:24 2017 # Generated by iptables-save v1.6.0 on Mon Sep 11 23:34:24 2017 *nat :PREROUTING ACCEPT [71640:3047957] :INPUT ACCEPT [239:12927] :OUTPUT ACCEPT [395:27160] :POSTROUTING ACCEPT [424:28860] :DOCKER - [0:0] :DOCKER-INGRESS - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-INGRESS -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER-INGRESS -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -o docker_gwbridge -m addrtype --src-type LOCAL -j MASQUERADE -A POSTROUTING -s 172.18.0.0/16 ! -o docker_gwbridge -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER -i docker_gwbridge -j RETURN -A DOCKER-INGRESS -p tcp -m tcp --dport 4000 -j DNAT --to-destination 172.18.0.2:4000 -A DOCKER-INGRESS -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.18.0.2:5000 -A DOCKER-INGRESS -p tcp -m tcp --dport 3000 -j DNAT --to-destination 172.18.0.2:3000 -A DOCKER-INGRESS -j RETURN COMMIT # Completed on Mon Sep 11 23:34:24 2017 # Generated by iptables-save v1.6.0 on Mon Sep 11 23:34:24 2017 *mangle :PREROUTING ACCEPT [151106:48716814] :INPUT ACCEPT [57104:28465934] :FORWARD ACCEPT [23732:18002240] :OUTPUT ACCEPT [50500:28830985] :POSTROUTING ACCEPT [71261:46656021] COMMIT # Completed on Mon Sep 11 23:34:24 2017

Interesting Posts

阻止从Docker容器到私有IP的传出连接

kubernetes ssh连接在gcloud上被拒绝

在Docker容器上安装Pentaho如果防火墙启动,则无法连接主机mysql

Docker堆栈:将端口发布到主机

我如何才能暴露一个Docker容器端口只有本地主机,这样它也可以通过SSH隧道访问?

coreos docker-compose v2:在防火墙之后过滤的暴露端口,无法访问

如何将源IP转发到Docker容器而不让Docker与iptables混淆

Docker:如何configurationInternet – >防火墙容器 – > webserver容器

我的防火墙阻止从docker集装箱到外部的networking连接

无法连接Jenkins jlnp奴隶到安装了使用Docker jenkins / jenkins的Centos 7 master?