启动一个有 nat 映射端口的容器时,iptables 报 No chain/target/match by that name
1
2
|
docker
run
-
d
-
p
2181
:
2181
-
p
2888
:
2888
-
p
3888
:
3888
garland
/
zookeeper
Error
response
from
daemon
:
Cannot
start
container
565c06efde6cd4411e2596ef3d726817c58dd777bc5fd13762e0c34d86076b9e
:
iptables
failed
:
iptables
--
wait
-
t
nat
-
A
DOCKER
-
p
tcp
-
d
0
/
0
--
dport
3888
-
j
DNAT
--
to
-
destination
192.168.42.11
:
3888
!
-
i
docker0
:
iptables
:
No
chain
/
target
/
match
by
that
name
|
找了N多网站和官方issue后,还是没找到真正的解决方法,网上到处转载的只是分析了原因,并没有明确的解决方案,为此与同事通宵加班终于解决了这个问题。
找到系统的/etc/sysconfig/iptables
,如果没有用以下命令保存一下,然后查看里边的内容
1
2
|
iptables
-
save
>
/
etc
/
sysconfig
/
iptables
cat
/
etc
/
sysconfig
/
iptables
|
发现内容如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
*
filter
:
INPUT
ACCEPT
[
0
:
0
]
:
FORWARD
ACCEPT
[
0
:
0
]
:
OUTPUT
ACCEPT
[
0
:
0
]
-
N
whitelist
-
A
whitelist
-
s
192.168.42.0
/
24
-
j
ACCEPT
#syn
-
N
syn
-
flood
-
A
INPUT
-
p
tcp
--
syn
-
j
syn
-
flood
-
I
syn
-
flood
-
p
tcp
-
m
limit
--
limit
3
/
s
--
limit
-
burst
6
-
j
RETURN
-
A
syn
-
flood
-
j
REJECT
#DOS
-
A
INPUT
-
i
eth0
-
p
tcp
--
syn
-
m
connlimit
--
connlimit
-
above
15
-
j
DROP
-
A
INPUT
-
p
tcp
-
m
state
--
state
ESTABLISHED
,
RELATED
-
j
ACCEPT
## 省略一些简单的防火墙规则
|
查看启动容器的报错信息发现-A DOCKER
DOCKER链,但在iptables文件里并没有找到,
由于之前在自己的系统(archlinux)学习使用docker时并没遇到这问题,
所以马上去看了下自己系统里的iptables的文件,
内容如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
*
nat
:
PREROUTING
ACCEPT
[
27
:
11935
]
:
INPUT
ACCEPT
[
0
:
0
]
:
OUTPUT
ACCEPT
[
598
:
57368
]
:
POSTROUTING
ACCEPT
[
591
:
57092
]
:
DOCKER
-
[
0
:
0
]
-
A
PREROUTING
-
m
addrtype
--
dst
-
type
LOCAL
-
j
DOCKER
-
A
OUTPUT
!
-
d
127.0.0.0
/
8
-
m
addrtype
--
dst
-
type
LOCAL
-
j
DOCKER
-
A
POSTROUTING
-
s
172.17.0.0
/
16
!
-
o
docker0
-
j
MASQUERADE
-
A
POSTROUTING
-
s
172.17.0.3
/
32
-
d
172.17.0.3
/
32
-
p
tcp
-
m
tcp
--
dport
1521
-
j
MASQUERADE
-
A
POSTROUTING
-
s
172.17.0.3
/
32
-
d
172.17.0.3
/
32
-
p
tcp
-
m
tcp
--
dport
22
-
j
MASQUERADE
-
A
DOCKER
!
-
i
docker0
-
p
tcp
-
m
tcp
--
dport
49161
-
j
DNAT
--
to
-
destination
172.17.0.3
:
1521
-
A
DOCKER
!
-
i
docker0
-
p
tcp
-
m
tcp
--
dport
49160
-
j
DNAT
--
to
-
destination
172.17.0.3
:
22
COMMIT
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
*
filter
:
INPUT
ACCEPT
[
139291
:
461018923
]
:
FORWARD
ACCEPT
[
0
:
0
]
:
OUTPUT
ACCEPT
[
127386
:
5251162
]
:
DOCKER
-
[
0
:
0
]
-
A
FORWARD
-
o
docker0
-
j
DOCKER
-
A
FORWARD
-
o
docker0
-
m
conntrack
--
ctstate
RELATED
,
ESTABLISHED
-
j
ACCEPT
-
A
FORWARD
-
i
docker0
!
-
o
docker0
-
j
ACCEPT
-
A
FORWARD
-
i
docker0
-
o
docker0
-
j
ACCEPT
-
A
DOCKER
-
d
172.17.0.3
/
32
!
-
i
docker0
-
o
docker0
-
p
tcp
-
m
tcp
--
dport
1521
-
j
ACCEPT
-
A
DOCKER
-
d
172.17.0.3
/
32
!
-
i
docker0
-
o
docker0
-
p
tcp
-
m
tcp
--
dport
22
-
j
ACCEPT
COMMIT
# Completed on Sun Sep 20 17:35:31 2015
|
对比后以去掉不相关的规则,以现*nat
规则里有以下的对于docker的配置
1
2
3
4
5
6
7
8
9
|
*
nat
:
PREROUTING
ACCEPT
[
27
:
11935
]
:
INPUT
ACCEPT
[
0
:
0
]
:
OUTPUT
ACCEPT
[
598
:
57368
]
:
POSTROUTING
ACCEPT
[
591
:
57092
]
:
DOCKER
-
[
0
:
0
]
-
A
PREROUTING
-
m
addrtype
--
dst
-
type
LOCAL
-
j
DOCKER
-
A
POSTROUTING
-
s
172.17.0.0
/
16
!
-
o
docker0
-
j
MASQUERADE
COMMIT
|
*filter
规则里对docker的配置如下
1
2
3
4
5
6
7
8
9
10
|
*
filter
:
INPUT
ACCEPT
[
139291
:
461018923
]
:
FORWARD
ACCEPT
[
0
:
0
]
:
OUTPUT
ACCEPT
[
127386
:
5251162
]
:
DOCKER
-
[
0
:
0
]
-
A
FORWARD
-
o
docker0
-
j
DOCKER
-
A
FORWARD
-
o
docker0
-
m
conntrack
--
ctstate
RELATED
,
ESTABLISHED
-
j
ACCEPT
-
A
FORWARD
-
i
docker0
!
-
o
docker0
-
j
ACCEPT
-
A
FORWARD
-
i
docker0
-
o
docker0
-
j
ACCEPT
COMMIT
|
去掉不相关规则后的配置文件如下(可以直接用):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
*
nat
:
PREROUTING
ACCEPT
[
27
:
11935
]
:
INPUT
ACCEPT
[
0
:
0
]
:
OUTPUT
ACCEPT
[
598
:
57368
]
:
POSTROUTING
ACCEPT
[
591
:
57092
]
:
DOCKER
-
[
0
:
0
]
-
A
PREROUTING
-
m
addrtype
--
dst
-
type
LOCAL
-
j
DOCKER
-
A
OUTPUT
!
-
d
127.0.0.0
/
8
-
m
addrtype
--
dst
-
type
LOCAL
-
j
DOCKER
-
A
POSTROUTING
-
s
172.17.0.0
/
16
!
-
o
docker0
-
j
MASQUERADE
COMMIT
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
*
filter
:
INPUT
ACCEPT
[
139291
:
461018923
]
:
FORWARD
ACCEPT
[
0
:
0
]
:
OUTPUT
ACCEPT
[
127386
:
5251162
]
:
DOCKER
-
[
0
:
0
]
-
A
FORWARD
-
o
docker0
-
j
DOCKER
-
A
FORWARD
-
o
docker0
-
m
conntrack
--
ctstate
RELATED
,
ESTABLISHED
-
j
ACCEPT
-
A
FORWARD
-
i
docker0
!
-
o
docker0
-
j
ACCEPT
-
A
FORWARD
-
i
docker0
-
o
docker0
-
j
ACCEPT
COMMIT
# Completed on Sun Sep 20 17:35:31 2015
|
然后再加上自己服务器的过滤规则,合并后覆盖到Centos 7的 /etc/sysconfig/iptables
文件
重启iptables 服务
1
|
systemctl
restart
iptables
.service
|
两次启动对应docker容器,
1
|
docker
run
-
d
-
p
2181
:
2181
-
p
2888
:
2888
-
p
3888
:
3888
garland
/
zookeeper
|
发现容器启动成功,虽然有警告,但并不影响容器的使用