docker 使用 iptables 进行网络通信

docker 是虽然是一个容器，但是也是一个小型的系统，它也有自己的网络，因此 docker 和宿主机之间网络通信也是要配置的，你有以下方式

通过 --net=host 直接共用宿主机网络
通过 -p 宿主机端口:容器端口进行指定，而这种方式需要用 iptables 进行转换

如何利用 iptables 进行转发呢？

配置 SELINUX=disabled

如下所示

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

开启系统转换

vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

配置 iptables

*nat
:PREROUTING ACCEPT [27:11935]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j MASQUERADE

COMMIT
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
*filter
:INPUT ACCEPT [0:0]
#:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127386:5251162]

:DOCKER - [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 172.17.0.0/16 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j ACCEPT

-A INPUT -i lo -p all -j ACCEPT
-A OUTPUT -o lo -p all -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j ACCEPT

-A FORWARD -s 172.17.0.0/16 -j ACCEPT
-A FORWARD -d 172.17.0.0/16 -j ACCEPT

COMMIT

最后重启 Centos 系统

reboot