问题1:
启动容器后,客户端访问服务时,会直接跳过firewalld规则,可以直接telnet容器端口
问题2:
容器访问宿主机端口需要单个开启端口规则,这里可以直接设置对宿主机容器开启权限
直接执行以下命令即可
EN_INTERFICE=`ifconfig |grep -E ^e|grep RUNNING|awk -F":" '{print $1}'`
cat>/etc/docker/daemon.json <<-EOF
{
"iptables": false
}
EOF
cat>>/etc/sysctl.conf <<-EOF
net.ipv4.ip_forward = 1
EOF
sysctl -p
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -i $EN_INTERFICE -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -o $EN_INTERFICE -j ACCEPT
firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=22/tcp
systemctl restart docker
firewall-cmd --reload
firewall-cmd --zone=public --add-masquerade
firewall-cmd --query-masquerade
cat>> /etc/rc.local <<-EOF
firewall-cmd --zone=public --add-masquerade
systemctl restart nginx
EOF
解释:
net.ipv4.ip_forward = 1 开启转发
开启端口允许 firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -i $EN_INTERFICE -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -o $EN_INTERFICE -j ACCEPT
宿主机对容器开启所有端口 firewall-cmd --permanent --zone=trusted --change-interface=docker0
执行后,容器内部可以访问外网 firewall-cmd --zone=public --add-masquerade
--------------------end
