一、filter(过滤规则表)
$ iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy DROP)
num target prot opt source destination
1 DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
2 DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 DOCKER all -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
8 DOCKER all -- 0.0.0.0/0 0.0.0.0/0
9 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain DOCKER (2 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:6800
2 ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:80
3 ACCEPT tcp -- 0.0.0.0/0 172.17.0.4 tcp dpt:8080
4 ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:8080
5 ACCEPT tcp -- 0.0.0.0/0 172.17.0.9 tcp dpt:1804
6 ACCEPT tcp -- 0.0.0.0/0 172.17.0.10 tcp dpt:22000
7 ACCEPT tcp -- 0.0.0.0/0 172.17.0.10 tcp dpt:8384
8 ACCEPT tcp -- 0.0.0.0/0 172.17.0.11 tcp dpt:5000
9 ACCEPT tcp -- 0.0.0.0/0 172.17.0.12 tcp dpt:1604
10 ACCEPT tcp -- 0.0.0.0/0 172.17.0.13 tcp dpt:53
11 ACCEPT udp -- 0.0.0.0/0 172.17.0.13 udp dpt:53
12 ACCEPT tcp -- 0.0.0.0/0 172.17.0.14 tcp dpt:1404
13 ACCEPT tcp -- 0.0.0.0/0 172.17.0.15 tcp dpt:8080
14 ACCEPT tcp -- 0.0.0.0/0 172.18.0.6 tcp dpt:8080
Chain DOCKER-ISOLATION (1 references)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0
2 DROP all -- 0.0.0.0/0 0.0.0.0/0
3 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
$ iptables -S
-P INPUT ACCEPT //定义INPUT链的接受策略
-P FORWARD DROP //定义FORWARD链的丢弃策略
-P OUTPUT ACCEPT
-N DOCKER //新建一条DOCKER链
-N DOCKER-ISOLATION
-N DOCKER-USER
//追加FORWARD链,并跳至DOCKER-USER链
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
//追加FORWARD链,并指定数据包从docker0网卡流出,以连接跟踪的模式,连接跟踪状态为参数(有关联的、成功建立的),作为接受对象
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
//追加FORWARD链,并指定数据包从docker0网卡流出,最终跳至DOCKER链
-A FORWARD -o docker0 -j DOCKER
//追加FORWARD链,并指定数据包从docker0网卡流入,从除了docker0外的网卡流出,作为接受对象
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-87e1f9a392f2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-87e1f9a392f2 -j DOCKER
-A FORWARD -i br-87e1f9a392f2 ! -o br-87e1f9a392f2 -j ACCEPT
-A FORWARD -i br-87e1f9a392f2 -o br-87e1f9a392f2 -j ACCEPT
//追加DOCKER链,并指定匹配数据包的目标地址为172.17.0.3/32,指定数据包从除docker0的网卡流入,从docker0网卡流出,协议类型为TCP,目标端口号为6800,作为接受对象
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 6800 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.5/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.17.0.9/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1804 -j ACCEPT
-A DOCKER -d 172.17.0.10/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22000 -j ACCEPT
-A DOCKER -d 172.17.0.10/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8384 -j ACCEPT
-A DOCKER -d 172.17.0.11/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.17.0.12/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1604 -j ACCEPT
-A DOCKER -d 172.17.0.13/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 53 -j ACCEPT
-A DOCKER -d 172.17.0.13/32 ! -i docker0 -o docker0 -p udp -m udp --dport 53 -j ACCEPT
-A DOCKER -d 172.17.0.14/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1404 -j ACCEPT
-A DOCKER -d 172.17.0.15/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-87e1f9a392f2 -o br-87e1f9a392f2 -p tcp -m tcp --dport 8080 -j ACCEPT
//追加DOCKER-ISOLATION链,并指定数据包从br-87e1f9a392f2网卡流入,从docker0网卡流出,作为丢弃对象
-A DOCKER-ISOLATION -i br-87e1f9a392f2 -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-87e1f9a392f2 -j DROP
//追加DOCKER-ISOLATION链,作为返回调用链
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
二、nat(地址转换规则表)
$ iptables -nL --line-number -t nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
2 MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0
3 MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:6800
4 MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:80
5 MASQUERADE tcp -- 172.17.0.4 172.17.0.4 tcp dpt:8080
6 MASQUERADE tcp -- 172.17.0.5 172.17.0.5 tcp dpt:8080
7 MASQUERADE tcp -- 172.17.0.9 172.17.0.9 tcp dpt:1804
8 MASQUERADE tcp -- 172.17.0.10 172.17.0.10 tcp dpt:22000
9 MASQUERADE tcp -- 172.17.0.10 172.17.0.10 tcp dpt:8384
10 MASQUERADE tcp -- 172.17.0.11 172.17.0.11 tcp dpt:5000
11 MASQUERADE tcp -- 172.17.0.12 172.17.0.12 tcp dpt:1604
12 MASQUERADE tcp -- 172.17.0.13 172.17.0.13 tcp dpt:53
13 MASQUERADE udp -- 172.17.0.13 172.17.0.13 udp dpt:53
14 MASQUERADE tcp -- 172.17.0.14 172.17.0.14 tcp dpt:1404
15 MASQUERADE tcp -- 172.17.0.15 172.17.0.15 tcp dpt:8080
16 MASQUERADE tcp -- 172.18.0.6 172.18.0.6 tcp dpt:8080
Chain DOCKER (2 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
2 RETURN all -- 0.0.0.0/0 0.0.0.0/0
3 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6800 to:172.17.0.3:6800
4 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6789 to:172.17.0.3:80
5 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4096 to:172.17.0.4:8080
6 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9001 to:172.17.0.5:8080
7 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1804 to:172.17.0.9:1804
8 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22000 to:172.17.0.10:22000
9 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8384 to:172.17.0.10:8384
10 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 to:172.17.0.11:5000
11 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1604 to:172.17.0.12:1604
12 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:172.17.0.13:53
13 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:172.17.0.13:53
14 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1404 to:172.17.0.14:1404
15 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:172.17.0.15:8080
16 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5555 to:172.18.0.6:8080
$ iptable -S -n nat
-P PREROUTING ACCEPT //定义PREROUTING链的接受策略
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER //新建一条DOCKER链
//追加PREROUTING链,并以地址类型的模式,目标地址类型是本地为参数,最终跳至DOCKER链
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
//追加OUTPUT链,并且不能以127.0.0.0/8作为目标IP地址,而以地址类型的模式,目标地址类型是本地为参数,最终跳至DOCKER链
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
//追加POSTROUTING链,并以172.17.0.0/16为源IP地址,但指定数据包不从docker0网卡流出,作为地址伪装对象
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
//追加POSTROUTING链,并以172.18.0.0/16为源IP地址,但指定数据包不从br-87e1f9a392f2网卡流出,作为地址伪装对象
-A POSTROUTING -s 172.18.0.0/16 ! -o br-87e1f9a392f2 -j MASQUERADE
//追加POSTROUTING链,并以172.17.0.3/32为源IP地址,以172.17.0.3/32为目标IP地址,协议类型为TCP,以TCP为模式,目标端口为6800,作为地址伪装对象
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 6800 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.0.5/32 -d 172.17.0.5/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.17.0.9/32 -d 172.17.0.9/32 -p tcp -m tcp --dport 1804 -j MASQUERADE
-A POSTROUTING -s 172.17.0.10/32 -d 172.17.0.10/32 -p tcp -m tcp --dport 22000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.10/32 -d 172.17.0.10/32 -p tcp -m tcp --dport 8384 -j MASQUERADE
-A POSTROUTING -s 172.17.0.11/32 -d 172.17.0.11/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.12/32 -d 172.17.0.12/32 -p tcp -m tcp --dport 1604 -j MASQUERADE
-A POSTROUTING -s 172.17.0.13/32 -d 172.17.0.13/32 -p tcp -m tcp --dport 53 -j MASQUERADE
//追加POSTROUTING链,并以172.17.0.13/32为源IP地址,以172.17.0.13/32为目标IP地址,协议类型为UDP,以UDP为模式,目标端口为53,作为地址伪装对象
-A POSTROUTING -s 172.17.0.13/32 -d 172.17.0.13/32 -p udp -m udp --dport 53 -j MASQUERADE
-A POSTROUTING -s 172.17.0.14/32 -d 172.17.0.14/32 -p tcp -m tcp --dport 1404 -j MASQUERADE
-A POSTROUTING -s 172.17.0.15/32 -d 172.17.0.15/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
//追加DOCKER链,并指定数据包从docker0网卡流入,作为返回调用链
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-87e1f9a392f2 -j RETURN
//追加DOCKER链,并指定数据包从除docker0的网卡流入,协议类型为TCP,以TCP为模式,目标端口为6800,作为目标地址转换,目标地址为172.17.0.3:6800
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 6800 -j DNAT --to-destination 172.17.0.3:6800
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 6789 -j DNAT --to-destination 172.17.0.3:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 4096 -j DNAT --to-destination 172.17.0.4:8080
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.17.0.5:8080
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 1804 -j DNAT --to-destination 172.17.0.9:1804
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 22000 -j DNAT --to-destination 172.17.0.10:22000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8384 -j DNAT --to-destination 172.17.0.10:8384
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.11:5000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 1604 -j DNAT --to-destination 172.17.0.12:1604
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 172.17.0.13:53
-A DOCKER ! -i docker0 -p udp -m udp --dport 53 -j DNAT --to-destination 172.17.0.13:53
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 1404 -j DNAT --to-destination 172.17.0.14:1404
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 5001 -j DNAT --to-destination 172.17.0.15:8080
-A DOCKER ! -i br-87e1f9a392f2 -p tcp -m tcp --dport 5555 -j DNAT --to-destination 172.18.0.6:8080