首先修改 /etc/docker/daemon.json, 禁止docker自动设定防火墙
{
"registry-mirrors": ["https://registry.docker-cn.com"]
,"iptables": false
}iptables 如何做到开机启动
https://github.com/gronke/systemd-iptables
修改iptables设置
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#eno16777728 = eth0
-A POSTROUTING -o eno16777728 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# ICMP
-A INPUT -p icmp -j ACCEPT
# Docker default
-A FORWARD -i docker0 -o eno16777728 -j ACCEPT
-A FORWARD -i eno16777728 -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
# Docker user define network
-A FORWARD -i br-f6fb0f164c0a -o eno16777728 -j ACCEPT
-A FORWARD -i eno16777728 -o br-f6fb0f164c0a -j ACCEPT
-A FORWARD -i br-f6fb0f164c0a -o br-f6fb0f164c0a -j ACCEPT
# Incoming
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j DROP
# Outgoing
-A OUTPUT -j ACCEPT
# Routing
-A FORWARD -j DROP
COMMIT
