centos7 docker配置防火墙firewalld

docker防火墙使用的是底层iptables，封装后的firewalld默认不生效

如果想要使用firewalld，需要做以下调整：

让firewalld移除DOCKER-USER并新建一个

?

01 02 03 04 05 06 07 08

# Removing DOCKER-USER CHAIN (it won't exist at first) firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER   # Flush rules from DOCKER-USER chain (again, these won't exist at first; firewalld seems to remember these even if the chain is gone) firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER   # Add the DOCKER-USER chain to firewalld firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER

加上你想要的规则，注意reject放在最后

?

01 02 03 04 05 06 07 08

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -j ACCEPT -m comment --comment "allows incoming from docker" firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -o eth0 -j ACCEPT -m comment --comment "allows docker to eth0" firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "allows docker containers to connect to the outside world" firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j RETURN -s 172.17.0.0/16 -m comment --comment "allow internal docker communication"   ## 你可以直接允許來自特定 IP 的所有流量 firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -s 61.222.3.133/32 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j REJECT --reject-with icmp-host-unreachable -m comment --comment "reject all other traffic"

最后reload，并通过iptables -L确认是否正确生效

?

01	firewall-cmd --reload

参考链接：

https://holywhite.com/archives/489