iptables配置和docker

启动一个有 nat 映射端口的容器时，iptables 报 No chain/target/match by that name

Shell

docker run - d - p 2181 : 2181 - p 2888 : 2888 - p 3888 : 3888 garland / zookeeper  

Error response from daemon : Cannot start container 565c06efde6cd4411e2596ef3d726817c58dd777bc5fd13762e0c34d86076b9e : iptables failed : iptables -- wait - t nat - A DOCKER - p tcp - d 0 / 0 -- dport 3888 - j DNAT -- to - destination 192.168.42.11 : 3888 ! - i docker0 : iptables : No chain / target / match by that name

找了N多网站和官方issue后，还是没找到真正的解决方法，网上到处转载的只是分析了原因，并没有明确的解决方案，为此与同事通宵加班终于解决了这个问题。

找到系统的/etc/sysconfig/iptables

Shell

iptables - save > / etc / sysconfig / iptables  

cat / etc / sysconfig / iptables

发现内容如下

Shell

* filter

: INPUT ACCEPT [ 0 : 0 ]

: FORWARD ACCEPT [ 0 : 0 ]

: OUTPUT ACCEPT [ 0 : 0 ]

- N whitelist

- A whitelist - s 192.168.42.0 / 24 - j ACCEPT

#syn

- N syn - flood

- A INPUT - p tcp -- syn - j syn - flood

- I syn - flood - p tcp - m limit -- limit 3 / s -- limit - burst 6 - j RETURN

- A syn - flood - j REJECT

#DOS

- A INPUT - i eth0 - p tcp -- syn - m connlimit -- connlimit - above 15 - j DROP

- A INPUT - p tcp - m state -- state ESTABLISHED , RELATED - j ACCEPT

## 省略一些简单的防火墙规则

查看启动容器的报错信息发现-A DOCKER

由于之前在自己的系统(archlinux)学习使用docker时并没遇到这问题，

所以马上去看了下自己系统里的iptables的文件，

内容如下

Shell

* nat

: PREROUTING ACCEPT [ 27 : 11935 ]

: INPUT ACCEPT [ 0 : 0 ]

: OUTPUT ACCEPT [ 598 : 57368 ]

: POSTROUTING ACCEPT [ 591 : 57092 ]

: DOCKER - [ 0 : 0 ]

- A PREROUTING - m addrtype -- dst - type LOCAL - j DOCKER

- A OUTPUT ! - d 127.0.0.0 / 8 - m addrtype -- dst - type LOCAL - j DOCKER

- A POSTROUTING - s 172.17.0.0 / 16 ! - o docker0 - j MASQUERADE

- A POSTROUTING - s 172.17.0.3 / 32 - d 172.17.0.3 / 32 - p tcp - m tcp -- dport 1521 - j MASQUERADE

- A POSTROUTING - s 172.17.0.3 / 32 - d 172.17.0.3 / 32 - p tcp - m tcp -- dport 22 - j MASQUERADE

- A DOCKER ! - i docker0 - p tcp - m tcp -- dport 49161 - j DNAT -- to - destination 172.17.0.3 : 1521

- A DOCKER ! - i docker0 - p tcp - m tcp -- dport 49160 - j DNAT -- to - destination 172.17.0.3 : 22

COMMIT   

# Completed on Sun Sep 20 17:35:31 2015

# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015

* filter

: INPUT ACCEPT [ 139291 : 461018923 ]

: FORWARD ACCEPT [ 0 : 0 ]

: OUTPUT ACCEPT [ 127386 : 5251162 ]

: DOCKER - [ 0 : 0 ]

- A FORWARD - o docker0 - j DOCKER

- A FORWARD - o docker0 - m conntrack -- ctstate RELATED , ESTABLISHED - j ACCEPT

- A FORWARD - i docker0 ! - o docker0 - j ACCEPT

- A FORWARD - i docker0 - o docker0 - j ACCEPT

- A DOCKER - d 172.17.0.3 / 32 ! - i docker0 - o docker0 - p tcp - m tcp -- dport 1521 - j ACCEPT

- A DOCKER - d 172.17.0.3 / 32 ! - i docker0 - o docker0 - p tcp - m tcp -- dport 22 - j ACCEPT

COMMIT   

# Completed on Sun Sep 20 17:35:31 2015

*nat规则里有以下的对于docker的配置

Shell

* nat

: PREROUTING ACCEPT [ 27 : 11935 ]

: INPUT ACCEPT [ 0 : 0 ]

: OUTPUT ACCEPT [ 598 : 57368 ]

: POSTROUTING ACCEPT [ 591 : 57092 ]

: DOCKER - [ 0 : 0 ]

- A PREROUTING - m addrtype -- dst - type LOCAL - j DOCKER

- A POSTROUTING - s 172.17.0.0 / 16 ! - o docker0 - j MASQUERADE

COMMIT

*filter

Shell

* filter

: INPUT ACCEPT [ 139291 : 461018923 ]

: FORWARD ACCEPT [ 0 : 0 ]

: OUTPUT ACCEPT [ 127386 : 5251162 ]

: DOCKER - [ 0 : 0 ]

- A FORWARD - o docker0 - j DOCKER

- A FORWARD - o docker0 - m conntrack -- ctstate RELATED , ESTABLISHED - j ACCEPT

- A FORWARD - i docker0 ! - o docker0 - j ACCEPT

- A FORWARD - i docker0 - o docker0 - j ACCEPT

COMMIT

去掉不相关规则后的配置文件如下(可以直接用)：

Shell

* nat

: PREROUTING ACCEPT [ 27 : 11935 ]

: INPUT ACCEPT [ 0 : 0 ]

: OUTPUT ACCEPT [ 598 : 57368 ]

: POSTROUTING ACCEPT [ 591 : 57092 ]

: DOCKER - [ 0 : 0 ]

- A PREROUTING - m addrtype -- dst - type LOCAL - j DOCKER

- A OUTPUT ! - d 127.0.0.0 / 8 - m addrtype -- dst - type LOCAL - j DOCKER

- A POSTROUTING - s 172.17.0.0 / 16 ! - o docker0 - j MASQUERADE

COMMIT   

# Completed on Sun Sep 20 17:35:31 2015

# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015

* filter

: INPUT ACCEPT [ 139291 : 461018923 ]

: FORWARD ACCEPT [ 0 : 0 ]

: OUTPUT ACCEPT [ 127386 : 5251162 ]

: DOCKER - [ 0 : 0 ]

- A FORWARD - o docker0 - j DOCKER

- A FORWARD - o docker0 - m conntrack -- ctstate RELATED , ESTABLISHED - j ACCEPT

- A FORWARD - i docker0 ! - o docker0 - j ACCEPT

- A FORWARD - i docker0 - o docker0 - j ACCEPT

COMMIT   

# Completed on Sun Sep 20 17:35:31 2015

然后再加上自己服务器的过滤规则，合并后覆盖到Centos 7的 /etc/sysconfig/iptables文件

重启iptables 服务

Shell

systemctl restart iptables .service

两次启动对应docker容器，

Shell

docker run - d - p 2181 : 2181 - p 2888 : 2888 - p 3888 : 3888 garland / zookeeper

发现容器启动成功，虽然有警告，但并不影响容器的使用