1、将当前iptables的配置写入保存到/etc/sysconfig/iptables
2、保存
/etc/init.d/iptables sava
3、修改iptables配置(vi /etc/sysconfig/iptables):
在适当位置增加下面红色的三行,然后重启iptables即可。(30612 是容器对外提供服务的端口)
-A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.10/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9000 -j ACCEPT -A DOCKER -d 172.17.0.117/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT -A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 32095 -j ACCEPT -A DOCKER -d 172.17.0.7/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 30612 -j ACCEPT COMMIT # Completed on Thu Mar 3 13:34:42 2016 # Generated by iptables-save v1.4.7 on Thu Mar 3 13:34:42 2016 *nat :PREROUTING ACCEPT [267:19881] :POSTROUTING ACCEPT [8:480] :OUTPUT ACCEPT [8:480] :DOCKER - [0:0] -A PREROUTING -p tcp -m tcp --dport 32095 -j DNAT --to-destination 172.17.0.7:32095 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.17.0.10/32 -d 172.17.0.10/32 -p tcp -m tcp --dport 9000 -j MASQUERADE -A POSTROUTING -s 172.17.0.117/32 -d 172.17.0.117/32 -p tcp -m tcp --dport 8080 -j MASQUERADE -A POSTROUTING -s 172.17.0.7/32 -d 172.17.0.7/32 -p tcp -m tcp --dport 32095 -j MASQUERADE -A POSTROUTING -s 172.17.0.7/32 -d 172.17.0.7/32 -p tcp -m tcp --dport 30612 -j MASQUERADE -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.10:9000 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 54321 -j DNAT --to-destination 172.17.0.117:8080 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32095 -j DNAT --to-destination 172.17.0.7:32095 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 30612 -j DNAT --to-destination 172.17.0.7:30612 COMMIT # Completed on Thu Mar 3 13:34:42 2016
最后:
重启iptables服务
# centos6.x
service iptables restart
# centos7.x
systemctl restart iptables.service