按照 https://www.cnblogs.com/CloudMan6/p/7341487.html 进行操作,实验结果与老师文章中的正好相反,不同 overlay 网络中的主机可以通信,验证部分见下面高亮代码段
问题找到了,是因为我机器上有一块网卡的Ip是10.0.10.101/20 ,把这个网卡禁用就好了,我用的是云主机,这是云主机的内网网卡。
但还是可以通过 docker_gwbridge 的网卡进行通信
1 root@host01:~# ifconfig 2 docker0 Link encap:Ethernet HWaddr 02:42:8a:65:2a:66 3 inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 4 UP BROADCAST MULTICAST MTU:1500 Metric:1 5 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 6 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 7 collisions:0 txqueuelen:0 8 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 9 10 docker_gwbridge Link encap:Ethernet HWaddr 02:42:4d:d7:0f:5f 11 inet addr:172.18.0.1 Bcast:172.18.255.255 Mask:255.255.0.0 12 inet6 addr: fe80::42:4dff:fed7:f5f/64 Scope:Link 13 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 14 RX packets:8137 errors:0 dropped:0 overruns:0 frame:0 15 TX packets:8141 errors:0 dropped:0 overruns:0 carrier:0 16 collisions:0 txqueuelen:0 17 RX bytes:678468 (678.4 KB) TX bytes:825486 (825.4 KB) 18 19 ens3 Link encap:Ethernet HWaddr 52:54:00:03:02:a5 20 inet addr:10.0.10.101 Bcast:10.0.15.255 Mask:255.255.240.0 21 inet6 addr: fe80::5054:ff:fe03:2a5/64 Scope:Link 22 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 23 RX packets:20957391 errors:0 dropped:0 overruns:0 frame:0 24 TX packets:6997 errors:0 dropped:0 overruns:0 carrier:0 25 collisions:0 txqueuelen:1000 26 RX bytes:1263185923 (1.2 GB) TX bytes:615570 (615.5 KB) 27 28 ens4 Link encap:Ethernet HWaddr 52:54:01:02:a5:e3 29 inet addr:123.58.8.20 Bcast:123.58.8.255 Mask:255.255.255.0 30 inet6 addr: fe80::5054:1ff:fe02:a5e3/64 Scope:Link 31 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 32 RX packets:12336540 errors:0 dropped:208 overruns:0 frame:0 33 TX packets:1500196 errors:0 dropped:0 overruns:0 carrier:0 34 collisions:0 txqueuelen:1000 35 RX bytes:1073827885 (1.0 GB) TX bytes:217543294 (217.5 MB) 36 37 lo Link encap:Local Loopback 38 inet addr:127.0.0.1 Mask:255.0.0.0 39 inet6 addr: ::1/128 Scope:Host 40 UP LOOPBACK RUNNING MTU:65536 Metric:1 41 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 42 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 43 collisions:0 txqueuelen:1 44 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 45 46 veth37959a9 Link encap:Ethernet HWaddr 9a:74:fe:5d:2c:cd 47 inet6 addr: fe80::9874:feff:fe5d:2ccd/64 Scope:Link 48 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 49 RX packets:2064 errors:0 dropped:0 overruns:0 frame:0 50 TX packets:2080 errors:0 dropped:0 overruns:0 carrier:0 51 collisions:0 txqueuelen:0 52 RX bytes:198016 (198.0 KB) TX bytes:199348 (199.3 KB) 53 54 veth9b8f24e Link encap:Ethernet HWaddr 72:99:9e:13:c8:37 55 inet6 addr: fe80::7099:9eff:fe13:c837/64 Scope:Link 56 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 57 RX packets:10188 errors:0 dropped:0 overruns:0 frame:0 58 TX packets:10193 errors:0 dropped:0 overruns:0 carrier:0 59 collisions:0 txqueuelen:0 60 RX bytes:989520 (989.5 KB) TX bytes:1022578 (1.0 MB) 61 62 root@host01:~# ifconfig ens3 down 63 root@host01:~# 64 root@host01:~# 65 root@host01:~# docker exec bbox3 ping -c 2 172.18.0.2 66 PING 172.18.0.2 (172.18.0.2): 56 data bytes 67 64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.156 ms 68 64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.134 ms 69 70 --- 172.18.0.2 ping statistics --- 71 2 packets transmitted, 2 packets received, 0% packet loss 72 round-trip min/avg/max = 0.134/0.145/0.156 ms 73 74 root@host01:~# docker exec bbox3 ping -c 2 10.0.0.2 75 PING 10.0.0.2 (10.0.0.2): 56 data bytes 76 77 --- 10.0.0.2 ping statistics --- 78 2 packets transmitted, 0 packets received, 100% packet loss 79 root@host01:~#
root@host01:~# docker version Client: Version: 18.09.3 API version: 1.39 Go version: go1.10.8 Git commit: 774a1f4 Built: Thu Feb 28 06:40:58 2019 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 18.09.3 API version: 1.39 (minimum version 1.12) Go version: go1.10.8 Git commit: 774a1f4 Built: Thu Feb 28 05:59:55 2019 OS/Arch: linux/amd64 Experimental: false root@host01:~# docker network ls NETWORK ID NAME DRIVER SCOPE 5f1cb3e7ea16 bridge bridge local 467a0c3b1d73 docker_gwbridge bridge local a08d5e1df638 host host local 83f08e15caa8 none null local 609020e03ff4 ov_net1 overlay global 3de64fa3d3ee ov_net2 overlay global root@host01:~# docker network inspect ov_net1 [ { "Name": "ov_net1", "Id": "609020e03ff4ac5fb1aad73e23bfb22bc288463663e5aba775ed06263077c242", "Created": "2019-03-15T08:52:44.452192114+08:00", "Scope": "global", "Driver": "overlay", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "10.0.0.0/24", "Gateway": "10.0.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "e666ab4af792055c63afde141a13286a8e108df2472994a42f22d92e4dbd4f61": { "Name": "bbox1", "EndpointID": "a5c953f0f64694095ebb50102305a617072b66ae494a54167250168683ea1571", "MacAddress": "02:42:0a:00:00:02", "IPv4Address": "10.0.0.2/24", "IPv6Address": "" }, "ep-0e7e516e2d946d2e090a88f1358096a6baf89dbbe8f07a8681705552939e58e2": { "Name": "bbox2", "EndpointID": "0e7e516e2d946d2e090a88f1358096a6baf89dbbe8f07a8681705552939e58e2", "MacAddress": "02:42:0a:00:00:03", "IPv4Address": "10.0.0.3/24", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] root@host01:~# docker network inspect ov_net2 [ { "Name": "ov_net2", "Id": "3de64fa3d3ee7875685a99ee0d1a21f220ff107c17b2fc25d2cc43dee669f005", "Created": "2019-03-20T08:50:15.368081913+08:00", "Scope": "global", "Driver": "overlay", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "10.0.1.0/24", "Gateway": "10.0.1.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "271022e6c6ed1cb28a29045561a48100cc0c14e3b5bb664beb41e3f4edc976a1": { "Name": "bbox3", "EndpointID": "7d14cb392da9e77ccb9d574935d535a4f5e4b02e1f44a4ed0a4ee8688d1e9d32", "MacAddress": "02:42:0a:00:01:02", "IPv4Address": "10.0.1.2/24", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] root@host01:~# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 271022e6c6ed busybox "sh" 15 minutes ago Up 15 minutes bbox3 e666ab4af792 busybox "sh" 2 days ago Up 2 days bbox1 root@host01:~# docker inspect bbox1 [ { "Id": "e666ab4af792055c63afde141a13286a8e108df2472994a42f22d92e4dbd4f61", "Created": "2019-03-18T00:55:22.236809259Z", "Path": "sh", "Args": [], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 18919, "ExitCode": 0, "Error": "", "StartedAt": "2019-03-18T00:55:23.137228284Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:d8233ab899d419c58cf3634c0df54ff5d8acc28f8173f09c21df4a07229e1205", "ResolvConfPath": "/var/lib/docker/containers/e666ab4af792055c63afde141a13286a8e108df2472994a42f22d92e4dbd4f61/resolv.conf", "HostnamePath": "/var/lib/docker/containers/e666ab4af792055c63afde141a13286a8e108df2472994a42f22d92e4dbd4f61/hostname", "HostsPath": "/var/lib/docker/containers/e666ab4af792055c63afde141a13286a8e108df2472994a42f22d92e4dbd4f61/hosts", "LogPath": "/var/lib/docker/containers/e666ab4af792055c63afde141a13286a8e108df2472994a42f22d92e4dbd4f61/e666ab4af792055c63afde141a13286a8e108df2472994a42f22d92e4dbd4f61-json.log", "Name": "/bbox1", "RestartCount": 0, "Driver": "overlay2", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "docker-default", "ExecIDs": [ "472f27d9d44e88bcd743fdd89bca9ed6bdef7ec58e061b36b2f65eae4601064e" ], "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "ov_net1", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "shareable", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": [], "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DeviceCgroupRules": null, "DiskQuota": 0, "KernelMemory": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": false, "PidsLimit": 0, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/95fe4db24230c3bd702eb54fc90e1c700f251511968a2c36a6d2b62d533dff97-init/diff:/var/lib/docker/overlay2/c863240dcd004963897d5b3805879ad87038dc5f840e48cccc4517101c33f2de/diff", "MergedDir": "/var/lib/docker/overlay2/95fe4db24230c3bd702eb54fc90e1c700f251511968a2c36a6d2b62d533dff97/merged", "UpperDir": "/var/lib/docker/overlay2/95fe4db24230c3bd702eb54fc90e1c700f251511968a2c36a6d2b62d533dff97/diff", "WorkDir": "/var/lib/docker/overlay2/95fe4db24230c3bd702eb54fc90e1c700f251511968a2c36a6d2b62d533dff97/work" }, "Name": "overlay2" }, "Mounts": [], "Config": { "Hostname": "e666ab4af792", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "Tty": true, "OpenStdin": true, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": [ "sh" ], "ArgsEscaped": true, "Image": "busybox", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": {} }, "NetworkSettings": { "Bridge": "", "SandboxID": "a8d468c12df86f394ce13268a9c5507bc7df4c0d39f6463afb9b426b59dc1e3b", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "/var/run/docker/netns/a8d468c12df8", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": { "ov_net1": { "IPAMConfig": null, "Links": null, "Aliases": [ "e666ab4af792" ], "NetworkID": "609020e03ff4ac5fb1aad73e23bfb22bc288463663e5aba775ed06263077c242", "EndpointID": "a5c953f0f64694095ebb50102305a617072b66ae494a54167250168683ea1571", "Gateway": "", "IPAddress": "10.0.0.2", "IPPrefixLen": 24, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:0a:00:00:02", "DriverOpts": null } } } } ] root@host01:~# docker inspect bbox3 [ { "Id": "271022e6c6ed1cb28a29045561a48100cc0c14e3b5bb664beb41e3f4edc976a1", "Created": "2019-03-20T00:50:44.855237793Z", "Path": "sh", "Args": [], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 30624, "ExitCode": 0, "Error": "", "StartedAt": "2019-03-20T00:50:45.682912119Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:d8233ab899d419c58cf3634c0df54ff5d8acc28f8173f09c21df4a07229e1205", "ResolvConfPath": "/var/lib/docker/containers/271022e6c6ed1cb28a29045561a48100cc0c14e3b5bb664beb41e3f4edc976a1/resolv.conf", "HostnamePath": "/var/lib/docker/containers/271022e6c6ed1cb28a29045561a48100cc0c14e3b5bb664beb41e3f4edc976a1/hostname", "HostsPath": "/var/lib/docker/containers/271022e6c6ed1cb28a29045561a48100cc0c14e3b5bb664beb41e3f4edc976a1/hosts", "LogPath": "/var/lib/docker/containers/271022e6c6ed1cb28a29045561a48100cc0c14e3b5bb664beb41e3f4edc976a1/271022e6c6ed1cb28a29045561a48100cc0c14e3b5bb664beb41e3f4edc976a1-json.log", "Name": "/bbox3", "RestartCount": 0, "Driver": "overlay2", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "docker-default", "ExecIDs": [ "194f02fffa032374b38533f493895b01734ad73bad099c52aa58c50309682132", "671d3ac6d67c4aa66eb654452c9352f9c7987663ca2869c19bb67fc62799d065", "6f50e18e46e598e1731302ac85342a5e97998ab97ce93950f5b62ca88a17d0fa", "bb621c0d3f369ddf51c667e35c1a967247496e312e79e210ed87e141479ada55", "a8f53d5aea29b1ee17fea1df17473c21fb8e294ca0398271563034c26dc5fc47", "91542ff68f138b7399a6925c027c5da877cb6442b7bd8de5333dd81e1d953fcc", "6576c99cc0a2105c4079ab3aca1a492343e8585a014a88f8543c8b43b037da5c", "d6c791223233956c992faed5d2e1b9d436021465d14ba36c4e1061164ed52bc5", "8ebb089fbf31ea7f2505c73807bb605448e1908d310e74a6a7ce04605e04dd29", "5deedc5e46f96d9f602c1e87bd9ccbedd4a999f7baffa54a946e96e898da9e9d", "d03f403ba7dd9076855f6f3569b99f6a46d88df12b541a00d5de0e456578f718" ], "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "ov_net2", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "shareable", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": [], "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DeviceCgroupRules": null, "DiskQuota": 0, "KernelMemory": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": false, "PidsLimit": 0, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/92b0ff57e03fbca7721437f95431e6e2cf30f42c4049bc03f35faf9e2910ec8d-init/diff:/var/lib/docker/overlay2/c863240dcd004963897d5b3805879ad87038dc5f840e48cccc4517101c33f2de/diff", "MergedDir": "/var/lib/docker/overlay2/92b0ff57e03fbca7721437f95431e6e2cf30f42c4049bc03f35faf9e2910ec8d/merged", "UpperDir": "/var/lib/docker/overlay2/92b0ff57e03fbca7721437f95431e6e2cf30f42c4049bc03f35faf9e2910ec8d/diff", "WorkDir": "/var/lib/docker/overlay2/92b0ff57e03fbca7721437f95431e6e2cf30f42c4049bc03f35faf9e2910ec8d/work" }, "Name": "overlay2" }, "Mounts": [], "Config": { "Hostname": "271022e6c6ed", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "Tty": true, "OpenStdin": true, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": [ "sh" ], "ArgsEscaped": true, "Image": "busybox", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": {} }, "NetworkSettings": { "Bridge": "", "SandboxID": "bfc2cc3d7aab378528488e6124294a45f8e55404e39e5847b95f8c04bcb76f52", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "/var/run/docker/netns/bfc2cc3d7aab", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": { "ov_net2": { "IPAMConfig": null, "Links": null, "Aliases": [ "271022e6c6ed" ], "NetworkID": "3de64fa3d3ee7875685a99ee0d1a21f220ff107c17b2fc25d2cc43dee669f005", "EndpointID": "7d14cb392da9e77ccb9d574935d535a4f5e4b02e1f44a4ed0a4ee8688d1e9d32", "Gateway": "", "IPAddress": "10.0.1.2", "IPPrefixLen": 24, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:0a:00:01:02", "DriverOpts": null } } } } ] root@host01:~# docker exec bbox1 ip r default via 172.18.0.1 dev eth1 10.0.0.0/24 dev eth0 scope link src 10.0.0.2 172.18.0.0/16 dev eth1 scope link src 172.18.0.2 root@host01:~# docker exec bbox3 ip r default via 172.18.0.1 dev eth1 10.0.1.0/24 dev eth0 scope link src 10.0.1.2 172.18.0.0/16 dev eth1 scope link src 172.18.0.3 root@host01:~# docker exec bbox3 ping -c 2 10.0.0.2 PING 10.0.0.2 (10.0.0.2): 56 data bytes 64 bytes from 10.0.0.2: seq=0 ttl=127 time=0.468 ms 64 bytes from 10.0.0.2: seq=1 ttl=127 time=0.511 ms --- 10.0.0.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.468/0.489/0.511 ms root@host01:~# docker exec bbox3 ping -c 2 172.18.0.2 PING 172.18.0.2 (172.18.0.2): 56 data bytes 64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.133 ms 64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.083 ms --- 172.18.0.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.083/0.108/0.133 ms root@host01:~# iptables-save # Generated by iptables-save v1.6.0 on Wed Mar 20 09:07:13 2019 *nat :PREROUTING ACCEPT [6969439:332697137] :INPUT ACCEPT [5895:322108] :OUTPUT ACCEPT [4416:266616] :POSTROUTING ACCEPT [4419:266868] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.18.0.0/16 ! -o docker_gwbridge -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER -i docker_gwbridge -j RETURN -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Wed Mar 20 09:07:13 2019 # Generated by iptables-save v1.6.0 on Wed Mar 20 09:07:13 2019 *filter :INPUT DROP [166:8716] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] :ufw-after-forward - [0:0] :ufw-after-input - [0:0] :ufw-after-logging-forward - [0:0] :ufw-after-logging-input - [0:0] :ufw-after-logging-output - [0:0] :ufw-after-output - [0:0] :ufw-before-forward - [0:0] :ufw-before-input - [0:0] :ufw-before-logging-forward - [0:0] :ufw-before-logging-input - [0:0] :ufw-before-logging-output - [0:0] :ufw-before-output - [0:0] :ufw-logging-allow - [0:0] :ufw-logging-deny - [0:0] :ufw-not-local - [0:0] :ufw-reject-forward - [0:0] :ufw-reject-input - [0:0] :ufw-reject-output - [0:0] :ufw-skip-to-policy-forward - [0:0] :ufw-skip-to-policy-input - [0:0] :ufw-skip-to-policy-output - [0:0] :ufw-track-forward - [0:0] :ufw-track-input - [0:0] :ufw-track-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-input - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] :ufw-user-logging-forward - [0:0] :ufw-user-logging-input - [0:0] :ufw-user-logging-output - [0:0] :ufw-user-output - [0:0] -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker_gwbridge -j DOCKER -A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output -A OUTPUT -j ufw-after-output -A OUTPUT -j ufw-after-logging-output -A OUTPUT -j ufw-reject-output -A OUTPUT -j ufw-track-output -A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-forward -j ufw-user-forward -A ufw-before-input -i lo -j ACCEPT -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny -A ufw-before-input -m conntrack --ctstate INVALID -j DROP -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A ufw-before-input -j ufw-not-local -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT -A ufw-before-input -j ufw-user-input -A ufw-before-output -o lo -j ACCEPT -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A ufw-before-output -j ufw-user-output -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] " -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] " -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny -A ufw-not-local -j DROP -A ufw-skip-to-policy-forward -j DROP -A ufw-skip-to-policy-input -j DROP -A ufw-skip-to-policy-output -j ACCEPT -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT -A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT -A ufw-user-input -p tcp -m tcp --dport 2376 -j ACCEPT -A ufw-user-input -p udp -m udp --dport 2376 -j ACCEPT -A ufw-user-input -p udp -m udp --dport 4789 -j ACCEPT -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] " -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable -A ufw-user-limit-accept -j ACCEPT COMMIT # Completed on Wed Mar 20 09:07:13 2019 root@host01:~# brctl show bridge name bridge id STP enabled interfaces docker0 8000.02428a652a66 no docker_gwbridge 8000.02424dd70f5f no veth37959a9 veth9b8f24e root@host01:~#