Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500,1701
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 192.168.18.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 10.31.0.0/24 0.0.0.0/0
ACCEPT all -- 10.31.1.0/24 0.0.0.0/0
ACCEPT all -- 10.31.2.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 172.17.0.2 udp dpt:4500
ACCEPT udp -- 0.0.0.0/0 172.17.0.2 udp dpt:500
ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.17.0.7 tcp dpt:9001
ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:25
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Those 25, 143, and 587 below should be automatically added by docker. Do I still need to open the corresponding port of the host to access it?
学习ing2017-07-05 10:48:55
It depends on your docker network mode,
If it is bridge mode, the port mapping rule is ip:port:targetPort,
For example, 0.0.0.0:80:8080, this situation means that the 80 port of the host machine has a mapping relationship with the 8080 port of the container, and there is no restriction on the IP. At this time, any request for port 80 of the host machine All will be forwarded to port 8080 in the container, no additional iptables settings are required. (This is possible even if the firewall does not open port 80 in advance. Because port mapping will modify the iptables rules by itself).
If the IP address is explicitly specified, the iptables rule will limit that only port 80 of the IP can be accessed to port 8080 in the container. Docker port mapping is actually network interoperability achieved by modifying iptables rules.
If it is net mode, it is the same as setting up a port listening on the host. There will be no additional changes to iptables rules. At this time, you need to manually set iptables to allow external access;