iptables add, delete, view, modify, and modify ports when docker is running

One, install and activate the firewall

  1. [root@linux ~]# /etc/init.d/iptables start

When we use iptables to add rules and save them, these rules are stored on the disk in the form of files. Taking centos as an example, the file address is /etc/sysconfig/iptables. We can add and modify them through commands. To delete the rules, you can also directly modify the file /etc/sysconfig/iptables.

Second, add firewall rules

1, add filter table

  1. [root@linux ~]# iptables -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT //Open port 21

I open the export iptables -P OUTPUT ACCEPT, so there is no need to open the port for the export.

2, add nat table

  1. [root@linux ~]# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE

Masquerade packets whose source address is 192.168.10.0/24

3, -A is inserted at the end by default, you can insert -I to the specified position

  1. [root@linux ~]# iptables -I INPUT 3 -p tcp -m tcp –dport 20 -j ACCEPT
  3. [root@linux ~]# iptables -L -n –line-number
  4. Chain INPUT (policy DROP)
  5. num target prot opt source destination
  6. 1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
  7. 2 DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 8
  8. 3 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 //-I inserted at the specified position
  9. 4 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
  10. 5 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
  11. 6 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  12. 7 DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
  13. 8 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 //-A is inserted at the end by default
  15. Chain FORWARD (policy ACCEPT)
  16. num target prot opt source destination
  18. Chain OUTPUT (policy ACCEPT)
  19. num target prot opt source destination

Third, check the iptable rules

1, view the filter table

  1. [root@linux ~]# iptables -L -n –line-number |grep 21 //–line-number can display the serial number of the rule, which is more convenient when deleting
  2. 5 ACCEPT tcp — 192.168.1.0/24 0.0.0.0/0 tcp dpt:21

If you do not add -t, the default is the filter table, view, add, delete are all

2, check nat table

  1. [root@linux ~]# iptables -t nat -vnL POSTROUTING –line-number
  2. Chain POSTROUTING (policy ACCEPT 38 packets, 2297 bytes)
  3. num pkts bytes target prot opt in out source destination
  4. 1 0 0 MASQUERADE all — * * 192.168.10.0/24 0.0.0.0/0

Fourth, modify the rules

  1. [root@linux ~]# iptables -R INPUT 3 -j DROP //Change rule 3 to DROP

Five, delete iptables rules

  1. [root@linux ~]# iptables -D INPUT 3 //Delete the third rule of input
  3. [root@linux ~]# iptables -t nat -D POSTROUTING 1 //Delete the first rule of postrouting in the nat table
  5. [root@linux ~]# iptables -F INPUT //Clear all rules of filter table INPUT
  7. [root@linux ~]# iptables -F //Clear all rules
  9. [root@linux ~]# iptables -t nat -F POSTROUTING //Clear all rules of nat table POSTROUTING

Six, set default rules

  1. [root@linux ~]# iptables -P INPUT DROP //Set filter table INPUT default rule is DROP

All additions, deletions, and modifications must be saved, /etc/init.d/iptables save. The above are just some of the most basic operations. To use them flexibly, it takes a certain amount of time to actually operate.

Apply:

Modify host iptables port mapping docker port mapping is not implemented in docker technology, but through the host’s iptables. Port mapping is done by controlling the bridge, similar to setting routing port mapping in a router.

If we have port 8000 of a container mapped to port 9000 of the host, first check what rules iptabes has set:

sudo iptables -t nat -vnL

One of the results:

Chain DOCKER (2 references)

pkts bytes target prot opt in out source destination

98 5872 RETURN all — docker0 * 0.0.0.0/0 0.0.0.0/0

237 14316 DNAT tcp — !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000 to:172.17.0.3:8000

We can see that docker has created a custom chain called DOKCER. And the ip of the container I opened port 8000 is 172.17.0.3.

You can also view the container ip through the inspect command

docker inspect [containerId] |grep IPAddress

We want to add another port mapping, such as 8081->81, and add a rule to this chain:

sudo iptables -t nat -A DOCKER -p tcp –dport 8081 -j DNAT –to-destination 172.17.0.3:81

If you made a mistake or want to modify it: first display the line number to view

sudo iptables -t nat -vnL DOCKER –line-number

delete rule 3

sudo iptables -t nat -D DOCKER 3

Modify iptables to add mapped port
Execute the following command on the host machine to achieve the goal

iptables -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp –dport 1521 -j ACCEPT
1
iptables -t nat -A DOCKER ! -i br0 -p tcp -m tcp –dport 11522 -j DNAT –to-destination 172.17.0.2:1521
1
Important parameter description:

172.17.0.2: The ip of the docker container in docker can be obtained through “docker inspect `container_name` | grep IPAddress”
1521: The port exposed by the application inside the container
11522: The application port inside the container is mapped to the host port

Save persistent iptables:

After the write the commands iptables, do:

 1. sudo su
 2. iptables-save > /etc/iptables.rules
 3. In /etc/network/if-pre-up.d/iptables, put:

 #!/bin/sh
 iptables-restore < /etc/iptables.rules
 exit 0

 4. After, in /etc/network/if-post-down.d/iptables, put:
 #!/bin/sh
 iptables-save -c > /etc/iptables.rules
 if [ -f /etc/iptables.rules ]; then
 iptables-restore < /etc/iptables.rules
 the fi
 exit 0
 5. After, give permission to the scripts:
 sudo chmod +x /etc/network/if-post-down.d/iptables
 sudo chmod +x /etc/network/if-pre-up.d/iptables