docker防火墙使用的是底层iptables,封装后的firewalld默认不生效
如果想要使用firewalld,需要做以下调整:
让firewalld移除DOCKER-USER并新建一个
# Removing DOCKER-USER CHAIN (it won't exist at first) firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER # Flush rules from DOCKER-USER chain (again, these won't exist at first; firewalld seems to remember these even if the chain is gone) firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER # Add the DOCKER-USER chain to firewalld firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
加上你想要的规则,注意reject放在最后
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -j ACCEPT -m comment --comment "allows incoming from docker" firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -o eth0 -j ACCEPT -m comment --comment "allows docker to eth0" firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "allows docker containers to connect to the outside world" firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j RETURN -s 172.17.0.0/16 -m comment --comment "allow internal docker communication" ## 你可以直接允許來自特定 IP 的所有流量 firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -s 61.222.3.133/32 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j REJECT --reject-with icmp-host-unreachable -m comment --comment "reject all other traffic"
最后reload,并通过iptables -L确认是否正确生效
firewall-cmd --reload
参考链接:
https://holywhite.com/archives/489