官方参考文档:
https://docs.docker.com/engine/reference/commandline/dockerd/
--iptables Enable addition of iptables rules (default true) --iptables=true Enable addition of iptables rules --iptables=false Prevents the Docker daemon from adding iptables rules. If multiple daemons manage iptables rules, they may overwrite rules set by another daemon. Be aware that disabling this option requires you to manually add iptables rules to expose container ports. If you prevent Docker from adding iptables rules, Docker will also not add IP masquerading rules, even if you set --ip-masq to true. Without IP masquerading rules, Docker containers will not be able to connect to external hosts or the internet when using network other than default bridge.
https://docs.docker.com/network/iptables/
Prevent Docker from manipulating iptables It is possible to set the iptables key to false in the Docker engine’s configuration file at /etc/docker/daemon.json, but this option is not appropriate for most users. It is not possible to completely prevent Docker from creating iptables rules, and creating them after-the-fact is extremely involved and beyond the scope of these instructions. Setting iptables to false will more than likely break container networking for the Docker engine.
其他文档:
https://www.jianshu.com/p/69d3ab177655
Centos 7 同时,我们注意到了docker的行为中-p指令暴露端口,是对iptables进行操作。但是centos 7默认是使用firewalld的。查阅资料: Note. You need to distinguish between the iptables service and the iptables command. Although firewalld is a replacement for the firewall management provided by iptables service, it still uses the iptables command for dynamic communication with the kernel packet filter (netfilter). So it is only the iptables service that is replaced, not the iptables command. That can be a confusing distinction at first. 在实际使用过程中,没有使用iptables.service,docker的端口转发也是正常的,因为iptables一直都在。docker会创建自己的iptables链,如果firewalld重启,docker创建的链也需要重新创建。 作者:kamiSDY 链接:https://www.jianshu.com/p/69d3ab177655 来源:简书 著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。