Centos 7.5.1804 mini安装下docker容器不能访问主机 端口问题排查

背景

主机信息

[root@htwy ~]# lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description:    CentOS Linux release 7.5.1804 (Core) 
Release:    7.5.1804
Codename:   Core
[root@htwy ~]# docker info
Containers: 16
 Running: 16
 Paused: 0
 Stopped: 0
Images: 35
Server Version: 18.06.1-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-862.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 31.02GiB
Name: htwy
ID: XKVN:JBW6:RFQX:4SJA:TVR3:VCOH:2WGT:E2SF:LYMC:GPQN:MW33:MICD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

问题

在主机中我创建了两个容器:jenkins, gitlab。

[root@htwy ~]# docker ps 
CONTAINER ID        IMAGE                                  COMMAND                  CREATED             STATUS                       PORTS                                                                NAMES
0b8e4372c845        maven-node-jenkins:lts                 "/sbin/tini -- /usr/…"   4 hours ago         Up About an hour             0.0.0.0:50000->50000/tcp, 0.0.0.0:8081->8080/tcp                     jenkins
c1bd3be46aa0        gitlab/gitlab-ce:11.1.4-ce.0           "/assets/wrapper"        27 hours ago        Up About an hour (healthy)   443/tcp, 0.0.0.0:8087->22/tcp, 0.0.0.0:8088->80/tcp                  gitlab

在jenkins中不能正常获取gitlab中的代码,报Failed to connect to 192.168.31.100 port 8088: No route to host错误,
进入到jenkins容器,发现是可以连通192.168.31.100网络的,但
curl http://192.168.31.100:8088就出现No route to host错误

初步判断是防火墙问题,于是先手式关闭防火墙
systemctl stop firewalld.service
发现jenkins可以访问192.168.31.100:8088,但jenkins容器访问外网又出现了
connect to 115.239.210.27 port 80 (tcp) failed: No route to host
错误,不能访问外网了。
这样就重复出现了:
开启防火墙,容器可以访问外网,但不能访问主机
报Failed to connect to 192.168.31.100 port 8088: No route to host
关闭防火墙,容器不能访问外网,但可以访问主机
报connect to 115.239.210.27 port 80 (tcp) failed: No route to host

这样,docker就不能好好玩了。

排查

在参考了一些资料后
Docker NAT iptables实现 及网络配置 (网络二)

Docker Port与iptables一个请求是如何从实体机传递到我们的应用的
还是不能解决我碰到问题,

问题的解决思路就是围绕着docker与firewall的关系进行解决。

[root@htwy ~]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-08-29 22:20:50 EDT; 4h 37min ago
     Docs: man:firewalld(1)
 Main PID: 107747 (firewalld)
    Tasks: 2
   Memory: 25.8M
   CGroup: /system.slice/firewalld.service
           └─107747 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Aug 30 02:05:51 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.27.0.4 -d 172.27.0.4 --dport 443 -j MASQUERADE' failed: iptables: N... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 8880 -j DNAT --to-destination 172.27.0.4:80 ! -i br-d729b10fd4b1... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-d729b10fd4b1 -o br-d729b10fd4b1 -p tcp -d 172.27.0.4 --dport 80 -j ACCEPT' ... that chain?).
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.27.0.4 -d 172.27.0.4 --dport 80 -j MASQUERADE' failed: iptables: No... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 4443 -j DNAT --to-destination 172.27.0.4:4443 ! -i br-d729b10fd4... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-d729b10fd4b1 -o br-d729b10fd4b1 -p tcp -d 172.27.0.4 --dport 4443 -j ACCEPT... that chain?).
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.27.0.4 -d 172.27.0.4 --dport 4443 -j MASQUERADE' failed: iptables: ... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 443 -j DNAT --to-destination 172.27.0.4:443 ! -i br-d729b10fd4b1... by that name.
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-d729b10fd4b1 -o br-d729b10fd4b1 -p tcp -d 172.27.0.4 --dport 443 -j ACCEPT'... that chain?).
Aug 30 02:05:53 htwy firewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.27.0.4 -d 172.27.0.4 --dport 443 -j MASQUERADE' failed: iptables: N... by that name.
Hint: Some lines were ellipsized, use -l to show in full.
[root@htwy ~]# 

按irewalld[107747]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables关键词在google中查找,
找到
Docker Firewalld/iptables WARNING: COMMAND_FAILED这个提问,问题指向docker的一个issue
Docker vs. firewalld on CentOS 7 #16137

看来大家碰到的问题也类似,从2015-09开始,陆续有人在提问。
其中 **tiangolo ** 提出一个解决方法

The (new) fix (updated 2017-01-13) (updated 2017-01-16)

The ultra short version of the fix

  • Run all these commands:
nmcli connection modify docker0 connection.zone trusted
systemctl stop NetworkManager.service
firewall-cmd --permanent --zone=trusted --change-interface=docker0
systemctl start NetworkManager.service
nmcli connection modify docker0 connection.zone trusted
systemctl restart docker.service

The explained version and how to check everything worked

The current workaround that seems to work ends up creating a trusted.xml file AND a ifcfg-docker0 file. The trusted.xml file would set the zone after a reboot (read and used by firewalld) and the ifcfg-docker0 would set the zone after reload or restart of services and interface or connections restarted (read and used mainly by NetworkManager).

To achieve that:

  • After having the new interface (e.g. after installing Docker) and having FirewallD enabled and started, set the zone of the interface with NetworkManager's nmcli:
nmcli connection modify docker0 connection.zone trusted

...that would set the zone in NetworkManager and FirewallD for the current session and will create the ifcfg-docker0 file for services, network or interfaces' restarts and reloads.

  • Check that the file was created with:
cat /etc/sysconfig/network-scripts/ifcfg-docker0

...it should output something like:

DEVICE=docker0
STP=no
BRIDGING_OPTS=ageing_time=299
TYPE=Bridge
BOOTPROTO=none
IPADDR=172.17.0.1
PREFIX=16
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=docker0
UUID=5ccc8292-95a2-40d5-9ed6-ab6202fa629e
ONBOOT=no
ZONE=trusted

...specifically, it should have a:

ZONE=trusted

  • Now we need FirewallD to generate that trusted.xml file so that it uses it while booting, but for FirewallD to write that file it must think that NetworkManager is not active, so stop NetworkManager:
systemctl stop NetworkManager.service
  • Now set the zone with FirewallD's firewall-cmd:
firewall-cmd --permanent --zone=trusted --change-interface=docker0
  • As NetworkManager is stopped, it won't modify (or even try to create) an ifcfg-docker0 file, if NetworkManager was running it would try to create that same file and wouldn't work after reboot. But this time, as Networkmanager is stopped, it will create a file in the other place for configurations, we can see it with:
cat /etc/firewalld/zones/trusted.xml

...outputs:



  Trusted
  All network connections are accepted.
  


...we can see that the docker0 interface was added to this trusted zone by the:



  • And now we can start NetworkManager again:
systemctl start NetworkManager.service
  • It is possible that you need to set the zone with NetworkManager again as firewalld might have "forgotten" the zone settings, it won't do any harm:
nmcli connection modify docker0 connection.zone trusted
  • We can check that FirewallD thinks that the docker0 is in the trusted zone. Check the zone of the docker0 interface as seen by FirewallD:
firewall-cmd --get-zone-of-interface=docker0

...outputs:

trusted

  • And NetworkManager also thinks that it is in the trusted zone. Check the zone of the docker0interface as seen by NetworkManager:
nmcli connection show docker0 | grep zone

...outputs something like:

connection.zone:                        trusted

  • We can restart the system and check that the zone will persist, for both FirewallD and NetworkManager.

  • If you already checked that it worked and don't want to restart the system, you still will have to restart the Docker service for it to re-create it's ipatables rules:

systemctl restart docker.service
  • If you need to change more things with FirewallD and NetworkManager, or if something doesn't seem to be working, please read that issue in FirewallD, as here I'm not showing a lot of the details: https://github.com/t-woerner/firewalld/issues/195

执行命令

[root@htwy ~]# nmcli connection modify docker0 connection.zone trusted
[root@htwy ~]# systemctl stop NetworkManager.service
[root@htwy ~]# firewall-cmd --permanent --zone=trusted --change-interface=docker0
success
[root@htwy ~]# systemctl start NetworkManager.service
[root@htwy ~]# nmcli connection modify docker0 connection.zone trusted
[root@htwy ~]# systemctl restart docker.service

去验证结果:jenkins可能访问gitlab服务了

[root@htwy ~]# docker exec -it jenkins curl http://192.168.31.100:8088/
You are being redirected.

执行命令后网络环境变更信息


active-zone-1.png


Centos 7.5.1804 mini安装下docker容器不能访问主机 端口问题排查_第1张图片
active-zone-2.png


active-zone-3-1.png


active-zone-3-2.png


Centos 7.5.1804 mini安装下docker容器不能访问主机 端口问题排查_第2张图片
trusted-1.png


Centos 7.5.1804 mini安装下docker容器不能访问主机 端口问题排查_第3张图片
trusted-2.png

iptables信息对比

[root@htwy ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (11 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:50000
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:8080
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.6           tcp dpt:27017
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.3           tcp dpt:3306
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:27017
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.7           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.7           tcp dpt:3306
ACCEPT     tcp  --  0.0.0.0/0            172.27.0.2           tcp dpt:10514
ACCEPT     tcp  --  0.0.0.0/0            172.27.0.9           tcp dpt:4443
ACCEPT     tcp  --  0.0.0.0/0            172.27.0.9           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            172.27.0.9           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (0 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (2 references)
target     prot opt source               destination         
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (2 references)
target     prot opt source               destination         
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

[root@htwy ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            172.27.0.3           tcp dpt:10514
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:50000
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.4           tcp dpt:8080
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:3306
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.6           tcp dpt:27017
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.7           tcp dpt:27017
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.8           tcp dpt:3306

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_trusted  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_trusted  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (2 references)
target     prot opt source               destination         
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDI_trusted (1 references)
target     prot opt source               destination         
FWDI_trusted_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_trusted_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_trusted_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDI_trusted_allow (1 references)
target     prot opt source               destination         

Chain FWDI_trusted_deny (1 references)
target     prot opt source               destination         

Chain FWDI_trusted_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (2 references)
target     prot opt source               destination         
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_trusted (1 references)
target     prot opt source               destination         
FWDO_trusted_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_trusted_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_trusted_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDO_trusted_allow (1 references)
target     prot opt source               destination         

Chain FWDO_trusted_deny (1 references)
target     prot opt source               destination         

Chain FWDO_trusted_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_trusted  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain IN_trusted (1 references)
target     prot opt source               destination         
IN_trusted_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_trusted_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_trusted_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain IN_trusted_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8088 ctstate NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8087 ctstate NEW

Chain IN_trusted_deny (1 references)
target     prot opt source               destination         

Chain IN_trusted_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination         

小结:

如果你也碰到我一样的问题,
执行下面命令吧。

nmcli connection modify docker0 connection.zone trusted
systemctl stop NetworkManager.service
firewall-cmd --permanent --zone=trusted --change-interface=docker0
systemctl start NetworkManager.service
nmcli connection modify docker0 connection.zone trusted
systemctl restart docker.service

你可能感兴趣的:(Centos 7.5.1804 mini安装下docker容器不能访问主机 端口问题排查)