19,612
社区成员
发帖
与我相关
我的任务
分享
[root@zsp ~]# iptables -t nat -L -n | grep 80
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3344
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:80
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3344 to:172.17.0.2:80
[root@zsp ~]# iptables -t nat -L -n | grep 3344
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3344
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3344 to:172.17.0.2:80
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
OUTPUT_direct all -- anywhere anywhere
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:mysql
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpts:39000:safetynetp ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:cslistener ctstate NEW,UNTRACKED
ACCEPT udp -- anywhere anywhere udp dpt:cslistener ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:bnt-manager ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:influence ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:trnsprntproxy ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:radan-http ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:dyna-access ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:erpc ctstate NEW,UNTRACKED
ACCEPT udp -- anywhere anywhere udp dpt:erpc ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:301 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@zsp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
OUTPUT_direct all -- anywhere anywhere
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:mysql
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED
ACCEPT all -- anywhere anywhere ctstate NEW,UNTRACKED
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpts:39000:safetynetp ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:cslistener ctstate NEW,UNTRACKED
ACCEPT udp -- anywhere anywhere udp dpt:cslistener ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:bnt-manager ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:influence ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:trnsprntproxy ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:radan-http ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:dyna-access ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:erpc ctstate NEW,UNTRACKED
ACCEPT udp -- anywhere anywhere udp dpt:erpc ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:301 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
[root@zsp ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3344
[root@zsp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere any
[root@zsp ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9a83cf9e6c53 zspdisk7.0 "java -Djava.securit…" 2 days ago Up 2 days 0.0.0.0:443->443/tcp, 0.0.0.0:3344->80/tcp zspdisk7.0
acf3632502be mysql "docker-entrypoint.s…" 5 weeks ago Up 2 days 33060/tcp, 0.0.0.0:3310->3306/tcp mysql01
我在主机上使用的映射:
[root@zsp ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3344
一旦使用了端口映射重定向域名到3344就会引发容器无法访问外网2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:10:19:bd brd ff:ff:ff:ff:ff:ff
inet x.x.x.x/20 brd 172.16.191.255 scope global dynamic eth0
valid_lft 312090154sec preferred_lft 312090154sec
inet6 fe80::216:3eff:fe10:19bd/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:80:63:8c:b7 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:80ff:fe63:8cb7/64 scope link
valid_lft forever preferred_lft forever
263: vethea39945@if262: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 02:a3:fb:43:7b:51 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::a3:fbff:fe43:7b51/64 scope link
valid_lft forever preferred_lft forever
269: veth31e5b1f@if268: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 86:9e:ed:58:f9:38 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::849e:edff:fe58:f938/64 scope link
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:10:19:bd brd ff:ff:ff:ff:ff:ff
inet 172.16.176.197/20 brd 172.16.191.255 scope global dynamic eth0
valid_lft 312090154sec preferred_lft 312090154sec
inet6 fe80::216:3eff:fe10:19bd/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:80:63:8c:b7 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:80ff:fe63:8cb7/64 scope link
valid_lft forever preferred_lft forever
263: vethea39945@if262: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 02:a3:fb:43:7b:51 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::a3:fbff:fe43:7b51/64 scope link
valid_lft forever preferred_lft forever
269: veth31e5b1f@if268: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 86:9e:ed:58:f9:38 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::849e:edff:fe58:f938/64 scope link
valid_lft forever preferred_lft forever