https://morphyhu.szitcare.com/wordpress/?p=1314

New docker use DOCKER-USER

Important!!

check host route & login docker container check route. and iptables -L -t nat POSTROUTING MASQUERADE 172.17.0.0/16 must same submask. EX:
host route have 172.17.0.0, 172.18.0.0, 172.19.0.0, 172.20.0.0
docker insdie route use 172.18.0.0
iptables MASQUERADE use 172.17.0.0
Docker Internet is failed.
So add iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o docker0 -j MASQUERADE

  
  
#启动后默认增加的规则  
iptables -N DOCKER  
iptables -N DOCKER-ISOLATION-STAGE-1  
iptables -N DOCKER-ISOLATION-STAGE-2  
iptables -N DOCKER-USER  
iptables -t nat -N DOCKER  
iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER  
iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER  
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE  
iptables -t nat -A DOCKER -i docker0 -j RETURN  
iptables -A FORWARD -j DOCKER-USER  
iptables -A FORWARD -j DOCKER-ISOLATION-STAGE-1  
iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  
iptables -A FORWARD -o docker0 -j DOCKER  
iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT  
iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT  
iptables -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2  
iptables -A DOCKER-ISOLATION-STAGE-1 -j RETURN  
iptables -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP  
iptables -A DOCKER-ISOLATION-STAGE-2 -j RETURN  
iptables -A DOCKER-USER -j RETURN  
   
#docker run --name smokeping -d -p 82:80 -e PUID=1000 -e PGID=1000 -e TZ=Asia/Shanghai -v /data/smokeping/data:/data -v /data/smokeping/config:/config linuxserver/smokeping   
#启动上述镜像后默认增加的规则  
iptables -t nat -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE  
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 82 -j DNAT --to-destination 172.17.0.2:80  
iptables -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT  

sudo iptable

  
  
#启动后默认增加的规则  
sudo iptables -N DOCKER  
sudo iptables -N DOCKER-ISOLATION-STAGE-1  
sudo iptables -N DOCKER-ISOLATION-STAGE-2  
sudo iptables -N DOCKER-USER  
sudo iptables -t nat -N DOCKER  
sudo iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER  
sudo iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER  
sudo iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE  
sudo iptables -t nat -A DOCKER -i docker0 -j RETURN  
sudo iptables -A FORWARD -j DOCKER-USER  
sudo iptables -A FORWARD -j DOCKER-ISOLATION-STAGE-1  
sudo iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  
sudo iptables -A FORWARD -o docker0 -j DOCKER  
sudo iptables -A FORWARD -i docker0 ! -o docker0 -j ACCEPT  
sudo iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT  
sudo iptables -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2  
sudo iptables -A DOCKER-ISOLATION-STAGE-1 -j RETURN  
sudo iptables -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP  
sudo iptables -A DOCKER-ISOLATION-STAGE-2 -j RETURN  
sudo iptables -A DOCKER-USER -j RETURN  
   
#docker run --name smokeping -d -p 82:80 -e PUID=1000 -e PGID=1000 -e TZ=Asia/Shanghai -v /data/smokeping/data:/data -v /data/smokeping/config:/config linuxserver/smokeping   
#启动上述镜像后默认增加的规则  
iptables -t nat -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE  
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 82 -j DNAT --to-destination 172.17.0.2:80  
iptables -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT  

iptables-save

  
# Generated by iptables-save v1.4.21 on Mon Jan 21 14:26:28 2019  
*nat  
:PREROUTING ACCEPT [76:8149]  
:INPUT ACCEPT [19:1447]  
:OUTPUT ACCEPT [0:0]  
:POSTROUTING ACCEPT [0:0]  
:DOCKER - [0:0]  
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER  
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER  
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE  
-A DOCKER -i docker0 -j RETURN  
COMMIT  
# Completed on Mon Jan 21 14:26:28 2019  
# Generated by iptables-save v1.4.21 on Mon Jan 21 14:26:28 2019  
*filter  
:INPUT ACCEPT [70:5722]  
:FORWARD ACCEPT [0:0]  
:OUTPUT ACCEPT [42:4460]  
:DOCKER - [0:0]  
:DOCKER-ISOLATION-STAGE-1 - [0:0]  
:DOCKER-ISOLATION-STAGE-2 - [0:0]  
:DOCKER-USER - [0:0]  
-A FORWARD -j DOCKER-USER  
-A FORWARD -j DOCKER-ISOLATION-STAGE-1  
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  
-A FORWARD -o docker0 -j DOCKER  
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT  
-A FORWARD -i docker0 -o docker0 -j ACCEPT  
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2  
-A DOCKER-ISOLATION-STAGE-1 -j RETURN  
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP  
-A DOCKER-ISOLATION-STAGE-2 -j RETURN  
-A DOCKER-USER -j RETURN  
COMMIT  
# Completed on Mon Jan 21 14:26:28 2019  

iptables -S

  
-P INPUT ACCEPT  
-P FORWARD ACCEPT  
-P OUTPUT ACCEPT  
-N DOCKER  
-N DOCKER-ISOLATION-STAGE-1  
-N DOCKER-ISOLATION-STAGE-2  
-N DOCKER-USER  
-A FORWARD -j DOCKER-USER  
-A FORWARD -j DOCKER-ISOLATION-STAGE-1  
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  
-A FORWARD -o docker0 -j DOCKER  
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT  
-A FORWARD -i docker0 -o docker0 -j ACCEPT  
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2  
-A DOCKER-ISOLATION-STAGE-1 -j RETURN  
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP  
-A DOCKER-ISOLATION-STAGE-2 -j RETURN  
-A DOCKER-USER -j RETURN