首页 > 代码库 > webportal 测试环境 iptables规则
webportal 测试环境 iptables规则
一、目前现有的iptables nat表规则:
[root@mcluster-webportal-node2 ~]# iptables -t nat -S-P PREROUTING ACCEPT-P POSTROUTING ACCEPT-P OUTPUT ACCEPT-N DOCKER-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18000 -j DNAT --to-destination 172.17.0.26:8000 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 28000 -j DNAT --to-destination 172.17.0.27:8000 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18001 -j DNAT --to-destination 172.17.0.29:8001 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 28001 -j DNAT --to-destination 172.17.0.30:8001 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 38001 -j DNAT --to-destination 172.17.0.34:8001 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 48001 -j DNAT --to-destination 172.17.0.37:8001 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 38081 -j DNAT --to-destination 172.17.0.38:8081 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 38080 -j DNAT --to-destination 172.17.0.39:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 50022 -j DNAT --to-destination 172.17.0.38:22 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18080 -j DNAT --to-destination 172.17.0.53:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 28080 -j DNAT --to-destination 172.17.0.54:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 28081 -j DNAT --to-destination 172.17.0.55:8081 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 18081 -j DNAT --to-destination 172.17.0.56:8081 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 21022 -j DNAT --to-destination 172.17.0.56:22 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 22022 -j DNAT --to-destination 172.17.0.55:22 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 23022 -j DNAT --to-destination 172.17.0.53:22 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 24022 -j DNAT --to-destination 172.17.0.54:22
二、添加删除指定规则链1.查看相应规则的对应numberChain PREROUTING (policy ACCEPT 5011 packets, 232K bytes)num pkts bytes target prot opt in out source destination 1 445 26784 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 397 packets, 25359 bytes)num pkts bytes target prot opt in out source destination 1 4477K 269M MASQUERADE all -- * * 172.17.0.0/16 !172.17.0.0/16 2 102 6188 MASQUERADE all -- * * 172.17.0.0/16 !172.17.0.0/16 3 0 0 MASQUERADE all -- * * 172.17.0.0/16 !172.17.0.0/16 Chain OUTPUT (policy ACCEPT 358 packets, 23019 bytes)num pkts bytes target prot opt in out source destination 1 1 60 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain DOCKER (2 references)num pkts bytes target prot opt in out source destination 1 18127 1078K DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:18000 to:172.17.0.26:8000 2 18082 1076K DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:28000 to:172.17.0.27:8000 3 1329 78652 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:18001 to:172.17.0.29:8001 4 1219 72316 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:28001 to:172.17.0.30:8001 5 18 936 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:38001 to:172.17.0.34:8001 6 93 4836 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:48001 to:172.17.0.37:8001 7 92 4728 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:38081 to:172.17.0.38:8081 8 18 912 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:38080 to:172.17.0.39:8080 9 4 208 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:50022 to:172.17.0.38:22 10 24 1248 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:18080 to:172.17.0.53:8080 11 47 2444 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:28080 to:172.17.0.54:8080 12 2 104 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:28081 to:172.17.0.55:8081 13 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:18081 to:172.17.0.56:8081 14 3 156 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21022 to:172.17.0.56:22 15 4 208 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22022 to:172.17.0.55:22 16 2 104 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23022 to:172.17.0.53:22 17 2 104 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:24022 to:172.17.0.54:22
2.删除
如删除下面这条规则
14 3 156 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21022 to:172.17.0.56:22
使用如下命令即可:
iptables -t nat -D DOCKER 14
3.新增一条规则
如将宿主机的25022 port的请求转发至ip为172.17.0.58这个container的22 port上,命令如下:
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 25022 -j DNAT --to-destination 172.17.0.58:22
webportal 测试环境 iptables规则
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。