docker 和iptables 冲突
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
在 /etc/ufw/before.rules 添加 *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE COMMIT ufw reload ufw allow ssh ufw deny 5000 ufw default deny ufw default allow routed ufw enable ufw insert 1 allow from 192.168.56.1 to any port 5000 cat /etc/docker/daemon.json {"insecure-registries":["192.168.0.11:5000","192.168.56.110:5000","harbor:5000"],"storage-driver":"overlay2","log-opts": {"max-size":"200m", "max-file":"3"},"iptables":false}
https://www.zhaokeli.com/article/8613.html
https://github.com/chaifeng/ufw-docker
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
#!/bin/bash prot=" 8014 3014 3015 " for i in $port;do iptables -I INPUT -p tcp --dport $i -j DROP iptables -I INPUT -s 172.21.6.0/24 -p tcp --dport $i -j ACCEPT iptables -I INPUT -s 172.20.7.0/24 -p tcp --dport $i -j ACCEPT iptables -I INPUT -s 172.20.8.0/24 -p tcp --dport $i -j ACCEPT iptables -I INPUT -s 11.0.0.0/8 -p tcp --dport $i -j ACCEPT iptables -I INPUT -s 192.169.0.0/16 -p tcp --dport $i -j ACCEPT iptables -I FORWARD -p tcp --dport $i -j DROP iptables -I FORWARD -s 172.21.6.0/24 -p tcp --dport $i -j ACCEPT iptables -I FORWARD -s 172.20.7.0/24 -p tcp --dport $i -j ACCEPT iptables -I FORWARD -s 172.20.8.0/24 -p tcp --dport $i -j ACCEPT iptables -I FORWARD -s 11.0.0.0/8 -p tcp --dport $i -j ACCEPT iptables -I FORWARD -s 192.169.0.0/16 -p tcp --dport $i -j ACCEPT done
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
iptables -t raw -I PREROUTING ! -s 192.168.188.0/24 -p tcp --dport 30201 -j DROP iptables -t raw -I PREROUTING -s 192.168.18.0/24 -p tcp --dport 30201 -j ACCEPT iptables -t raw -I PREROUTING -s 127.0.0.1 -j ACCEPT iptables -t raw -I PREROUTING -s localhost -j ACCEPT
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
#!/bin/bash port=" 37071 17071 6443 60121 53443 43654 37073 37072 34896 32806 30281 23284 18352 17073 17072 10250 8181 8000 4683 37071 35776 22 " ip=" 172.21.6.0/24 172.20.7.0/24 172.20.8.0/24 11.0.0.0/8 192.169.0.0/16 172.24.5.0/24 " function add_iptables(){ for d in $port;do iptables -t raw -I PREROUTING -p tcp --dport $d -j DROP for i in $ip;do iptables -t raw -I PREROUTING -s $i -p tcp --dport $d -j ACCEPT done done iptables -t raw -I PREROUTING -s 127.0.0.1 -j ACCEPT iptables -t raw -I PREROUTING -s localhost -j ACCEPT } function del_iptables(){ for d in $port;do iptables -t raw -D PREROUTING -p tcp --dport $d -j DROP for i in $ip;do iptables -t raw -D PREROUTING -s $i -p tcp --dport $d -j ACCEPT done done iptables -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT iptables -t raw -D PREROUTING -s localhost -j ACCEPT } if [[ $1 == "add" ]];then add_iptables exit elif [[ $1 == "del" ]];then del_iptables exit fi
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
#!/bin/bash port=" 179 3000 4194 5400 6633 6640 7225 8181 60248 " ip=" 192.168.99.0/24 192.168.1.0/24 10.184.0.0/13 10.0.0.0/17 " black_ip=" 192.168.1.80 " function add_iptables(){ for d in $port;do iptables -t raw -I PREROUTING -p tcp --dport $d -j DROP for i in $ip;do iptables -t raw -I PREROUTING -s $i -p tcp --dport $d -j ACCEPT done for k in $black_ip;do iptables -t raw -I PREROUTING -s $k -p tcp --dport $d -j DROP done done iptables -t raw -I PREROUTING -s 127.0.0.1 -j ACCEPT iptables -t raw -I PREROUTING -s localhost -j ACCEPT } function del_iptables(){ for d in $port;do iptables -t raw -D PREROUTING -p tcp --dport $d -j DROP for i in $ip;do iptables -t raw -D PREROUTING -s $i -p tcp --dport $d -j ACCEPT done for k in $black_ip;do iptables -t raw -D PREROUTING -s $k -p tcp --dport $d -j DROP done done iptables -t raw -D PREROUTING -s 127.0.0.1 -j ACCEPT iptables -t raw -D PREROUTING -s localhost -j ACCEPT iptables -t raw -F iptables -t raw -X #iptables -t raw -Z } if [[ $1 == "add" ]];then add_iptables exit elif [[ $1 == "del" ]];then del_iptables exit fi #iptables -t raw -nL