Docker的iptables配置

为什么80%的码农都做不了架构师？>>>   

 首先修改 /etc/docker/daemon.json, 禁止docker自动设定防火墙

{
	  "registry-mirrors": ["https://registry.docker-cn.com"]
	 ,"iptables": false
}

iptables 如何做到开机启动

https://github.com/gronke/systemd-iptables

修改iptables设置

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

#eno16777728 = eth0
-A POSTROUTING -o eno16777728 -j MASQUERADE

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Allow localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# ICMP
-A INPUT -p icmp -j ACCEPT

# Docker default
-A FORWARD -i docker0 -o eno16777728 -j ACCEPT
-A FORWARD -i eno16777728 -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
# Docker user define network
-A FORWARD -i br-f6fb0f164c0a -o eno16777728 -j ACCEPT
-A FORWARD -i eno16777728 -o br-f6fb0f164c0a -j ACCEPT
-A FORWARD -i br-f6fb0f164c0a -o br-f6fb0f164c0a -j ACCEPT

# Incoming
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A INPUT -j DROP

# Outgoing
-A OUTPUT -j ACCEPT

# Routing
-A FORWARD -j DROP

COMMIT

 

转载于:https://my.oschina.net/myaniu/blog/1800088