Docker iptables 詳解

1. 環(huán)境說明

該環(huán)境安裝了docker ，并啟動了一個容器做了端口映射

iptables 里raw书在、mangle 表都是空的


// docker 容器

docker ps| grep 43040d1aba46

43040d1aba46 aylei/aliyun-exporter:0.3.1 "python -u /usr/loca…" 2 months ago Up 2 months 9522/tcp, 0.0.0.0:9525->9525/tcp gallant_lumiere

// iptables filter 表 配置

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain FORWARD (policy DROP)

target prot opt source destination         

DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0           

DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

DOCKER all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

Chain DOCKER (1 references)

target prot opt source destination         

ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:9525

Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target prot opt source destination         

DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target prot opt source destination         

DROP all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-USER (1 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0     

// iptables nat 表配置

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain FORWARD (policy DROP)

target prot opt source destination         

DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0           

DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

DOCKER all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

Chain DOCKER (1 references)

target prot opt source destination         

ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:9525

Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target prot opt source destination         

DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target prot opt source destination         

DROP all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-USER (1 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

[root@yunwei_jenkins-dev_1 ~]# iptables -t nat -nL

Chain PREROUTING (policy ACCEPT)

target prot opt source destination         

DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination         

MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0           

MASQUERADE tcp -- 172.17.0.6 172.17.0.6 tcp dpt:9525

Chain DOCKER (2 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9525 to:172.17.0.6:9525

2. 數(shù)據(jù)如何經(jīng)過iptables

接著來梳理灰伟，數(shù)據(jù)經(jīng)過iptables 是如何處理的。首先需要了解iptables 的組成：
iptables 有4表（raw、mangle栏账、nat帖族、filter）5鏈（prerouting、input挡爵、forward竖般、output、postrouting）茶鹃，數(shù)據(jù)經(jīng)過iptables 需要按順序經(jīng)過5鏈進(jìn)行處理涣雕。看下圖：

image.png

1闭翩、首先數(shù)據(jù)經(jīng)過prerouting表挣郭，由于 raw、mangle表都為空疗韵，所以可以直接看nat表的prerouting 鏈：

從這里可以看到通過nat表中的prerouting鏈兑障，將所有訪問本地地址的數(shù)據(jù)都匹配到Docker 鏈；

而Docker 這里有DNAT 規(guī)則蕉汪，將訪問宿主機(jī) 9525端口的數(shù)據(jù)轉(zhuǎn)發(fā)到 172.17.0.6:9525


// nat 表

# iptables -t nat -nL   

Chain PREROUTING (policy ACCEPT)

target prot opt source destination         

DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination         

MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0           

MASQUERADE tcp -- 172.17.0.6 172.17.0.6 tcp dpt:9525

Chain DOCKER (2 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9525 to:172.17.0.6:9525

2流译、再到input鏈，其中mangle表為空者疤，直接看nat福澡、filter表中的input鏈：

從【1】可以看到nat 中input鏈以及filter表的input鏈都沒做任何規(guī)則


// filter表

# iptables -t filter -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain FORWARD (policy DROP)

target prot opt source destination         

DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0           

DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

DOCKER all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

Chain DOCKER (1 references)

target prot opt source destination         

ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:9525

Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target prot opt source destination         

DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target prot opt source destination         

DROP all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-USER (1 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0

3、再接著到output鏈宛渐，raw竞漾、mangle為空，直接查看nat窥翩、filter表中的output 鏈

從上可以看到 nat 表中的output鏈將所有目的地址為非環(huán)回地址的本地地址數(shù)據(jù)匹配到Docker鏈业岁，然后重復(fù)DNAT；

再到filter表中的output鏈沒有做任何規(guī)則

4寇蚊、最后到postrouting 鏈笔时，mangle 為空，nat 表將目標(biāo)地址為0.0.0.0 數(shù)據(jù)通過SNAT做動態(tài)轉(zhuǎn)發(fā)出去仗岸，而目標(biāo)地址為172.17.0.6 的則轉(zhuǎn)發(fā)到9525 端口

PS：
這是經(jīng)過朋友的講解和自己一些理解允耿，如有錯誤請指正。