首页 > 代码库 > webportal 测试环境 iptables规则

webportal 测试环境 iptables规则

一、目前现有的iptables nat表规则:

[root@mcluster-webportal-node2 ~]# iptables -t nat -S-P PREROUTING ACCEPT-P POSTROUTING ACCEPT-P OUTPUT ACCEPT-N DOCKER-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18000 -j DNAT --to-destination 172.17.0.26:8000 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 28000 -j DNAT --to-destination 172.17.0.27:8000 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18001 -j DNAT --to-destination 172.17.0.29:8001 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 28001 -j DNAT --to-destination 172.17.0.30:8001 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 38001 -j DNAT --to-destination 172.17.0.34:8001 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 48001 -j DNAT --to-destination 172.17.0.37:8001 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 38081 -j DNAT --to-destination 172.17.0.38:8081 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 38080 -j DNAT --to-destination 172.17.0.39:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 50022 -j DNAT --to-destination 172.17.0.38:22 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18080 -j DNAT --to-destination 172.17.0.53:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 28080 -j DNAT --to-destination 172.17.0.54:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 28081 -j DNAT --to-destination 172.17.0.55:8081 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18081 -j DNAT --to-destination 172.17.0.56:8081 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 21022 -j DNAT --to-destination 172.17.0.56:22 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 22022 -j DNAT --to-destination 172.17.0.55:22 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 23022 -j DNAT --to-destination 172.17.0.53:22 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 24022 -j DNAT --to-destination 172.17.0.54:22

二、添加删除指定规则链1.查看相应规则的对应numberChain PREROUTING (policy ACCEPT 5011 packets, 232K bytes)num   pkts bytes target     prot opt in     out     source               destination         1      445 26784 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 397 packets, 25359 bytes)num   pkts bytes target     prot opt in     out     source               destination         1    4477K  269M MASQUERADE  all  --  *      *       172.17.0.0/16       !172.17.0.0/16       2      102  6188 MASQUERADE  all  --  *      *       172.17.0.0/16       !172.17.0.0/16       3        0     0 MASQUERADE  all  --  *      *       172.17.0.0/16       !172.17.0.0/16       Chain OUTPUT (policy ACCEPT 358 packets, 23019 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        1    60 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8         ADDRTYPE match dst-type LOCAL Chain DOCKER (2 references)num   pkts bytes target     prot opt in     out     source               destination         1    18127 1078K DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18000 to:172.17.0.26:8000 2    18082 1076K DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28000 to:172.17.0.27:8000 3     1329 78652 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18001 to:172.17.0.29:8001 4     1219 72316 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28001 to:172.17.0.30:8001 5       18   936 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:38001 to:172.17.0.34:8001 6       93  4836 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:48001 to:172.17.0.37:8001 7       92  4728 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:38081 to:172.17.0.38:8081 8       18   912 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:38080 to:172.17.0.39:8080 9        4   208 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:50022 to:172.17.0.38:22 10      24  1248 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18080 to:172.17.0.53:8080 11      47  2444 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28080 to:172.17.0.54:8080 12       2   104 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28081 to:172.17.0.55:8081 13       0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18081 to:172.17.0.56:8081 14       3   156 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21022 to:172.17.0.56:22 15       4   208 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22022 to:172.17.0.55:22 16       2   104 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23022 to:172.17.0.53:22 17       2   104 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:24022 to:172.17.0.54:22 

2.删除
如删除下面这条规则
14       3   156 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21022 to:172.17.0.56:22
使用如下命令即可:
iptables -t nat -D DOCKER 14

3.新增一条规则

如将宿主机的25022 port的请求转发至ip为172.17.0.58这个container的22 port上,命令如下:
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 25022 -j DNAT --to-destination 172.17.0.58:22


 

webportal 测试环境 iptables规则