docker 和iptables 冲突

在 /etc/ufw/before.rules 添加
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
COMMIT


ufw reload

ufw allow ssh
ufw deny 5000
ufw default deny
ufw default allow routed
ufw enable
ufw insert 1 allow from 192.168.56.1 to any port 5000

cat /etc/docker/daemon.json 
{"insecure-registries":["192.168.0.11:5000","192.168.56.110:5000","harbor:5000"],"storage-driver":"overlay2","log-opts": {"max-size":"200m", "max-file":"3"},"iptables":false}

https://www.zhaokeli.com/article/8613.html

https://github.com/chaifeng/ufw-docker

 

#!/bin/bash

prot="
8014
3014
3015
"
for i in $port;do
    iptables -I INPUT -p tcp --dport $i -j DROP 
    iptables -I INPUT -s 172.21.6.0/24 -p tcp --dport $i -j ACCEPT
    iptables -I INPUT -s 172.20.7.0/24 -p tcp --dport $i -j ACCEPT
    iptables -I INPUT -s 172.20.8.0/24 -p tcp --dport $i -j ACCEPT
    iptables -I INPUT -s 11.0.0.0/8 -p tcp --dport $i -j ACCEPT
    iptables -I INPUT -s 192.169.0.0/16 -p tcp --dport $i -j ACCEPT
    
    iptables -I FORWARD -p tcp --dport $i -j DROP 
    iptables -I FORWARD -s 172.21.6.0/24  -p tcp --dport $i -j ACCEPT
    iptables -I FORWARD -s 172.20.7.0/24 -p tcp --dport $i -j ACCEPT
    iptables -I FORWARD -s 172.20.8.0/24  -p tcp --dport $i -j ACCEPT
    iptables -I FORWARD -s 11.0.0.0/8 -p tcp --dport $i -j ACCEPT
    iptables -I FORWARD -s 192.169.0.0/16 -p tcp --dport $i -j ACCEPT
done

iptables -t raw -I PREROUTING  ! -s 192.168.188.0/24 -p tcp --dport 30201 -j DROP 
iptables -t raw -I PREROUTING  -s 192.168.18.0/24 -p tcp --dport 30201 -j ACCEPT

iptables -t raw -I PREROUTING  -s 127.0.0.1  -j ACCEPT
iptables -t raw -I PREROUTING  -s localhost  -j ACCEPT

#!/bin/bash

port="
37071
17071
6443
60121
53443
43654
37073
37072
34896
32806
30281
23284
18352
17073
17072
10250
8181
8000
4683
37071
35776
22
"

ip="
172.21.6.0/24
172.20.7.0/24
172.20.8.0/24
11.0.0.0/8
192.169.0.0/16
172.24.5.0/24
"

function add_iptables(){

for d in $port;do
   iptables -t raw -I PREROUTING  -p tcp --dport $d -j DROP
    
    for i in $ip;do
        iptables -t raw -I PREROUTING  -s $i -p tcp --dport $d -j ACCEPT
    done

done

iptables -t raw -I PREROUTING  -s 127.0.0.1  -j ACCEPT
iptables -t raw -I PREROUTING  -s localhost  -j ACCEPT
}

function del_iptables(){


for d in $port;do
    iptables -t raw -D PREROUTING  -p tcp --dport $d -j DROP
    
    for i in $ip;do
        iptables -t raw -D PREROUTING  -s $i -p tcp --dport $d -j ACCEPT
    done

done

iptables -t raw -D PREROUTING  -s 127.0.0.1  -j ACCEPT
iptables -t raw -D PREROUTING  -s localhost  -j ACCEPT


}

if [[ $1 == "add" ]];then
   add_iptables
   exit

elif [[ $1 == "del" ]];then
     del_iptables
     exit
fi

#!/bin/bash

port="
179
3000
4194
5400
6633
6640
7225
8181
60248
"

ip="
192.168.99.0/24
192.168.1.0/24
10.184.0.0/13
10.0.0.0/17
"


black_ip="
192.168.1.80
"

function add_iptables(){

for d in $port;do
   iptables -t raw -I PREROUTING  -p tcp --dport $d -j DROP
         
    for i in $ip;do
        iptables -t raw -I PREROUTING  -s $i -p tcp --dport $d -j ACCEPT
    done

    for k in $black_ip;do
          iptables -t raw -I PREROUTING  -s $k -p tcp --dport $d -j DROP
        
    done

done

iptables -t raw -I PREROUTING  -s 127.0.0.1  -j ACCEPT
iptables -t raw -I PREROUTING  -s localhost  -j ACCEPT
}

function del_iptables(){


for d in $port;do
    iptables -t raw -D PREROUTING  -p tcp --dport $d -j DROP
    
    for i in $ip;do
        iptables -t raw -D PREROUTING  -s $i -p tcp --dport $d -j ACCEPT
    done
    
    
    for k in $black_ip;do
          iptables -t raw -D PREROUTING  -s $k -p tcp --dport $d -j DROP

    done

done

iptables -t raw -D PREROUTING  -s 127.0.0.1  -j ACCEPT
iptables -t raw -D PREROUTING  -s localhost  -j ACCEPT

iptables -t raw -F
iptables -t raw -X
#iptables -t raw -Z


}

if [[ $1 == "add" ]];then
   add_iptables
   exit

elif [[ $1 == "del" ]];then
     del_iptables
     exit
fi
#iptables -t raw -nL