https://morphyhu.szitcare.com/wordpress/?p=1314 New docker use DOCKER-USER Important!! check host route & login docker container check route. and iptables -L -t nat POSTROUTING MASQUERADE 172.17.0.0/16 must same submask. EX: host route have 172.17.0.0, 172.18.0.0, 172.19.0.0, 172.20.0.0 docker insdie route use 172.18.0.0 iptables MASQUERADE use 172.17.0.0 Docker Internet is failed. So add iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o docker0 -j MASQUERADE #启动后默认增加的规则 iptables -N DOCKER iptables -N DOCKER-ISOLATION-STAGE-1 iptables -N DOCKER-ISOLATION-STAGE-2 iptables -N DOCKER-USER iptables -t nat -N DOCKER iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER iptables -t nat -A OUTPUT !

繼續閱讀

FireHOL is a language (and a program to run it) which builds secure, stateful firewalls from easy to understand, human-readable configurations. The configurations stay readable even for very complex setups.

繼續閱讀

http://sueboy.blogspot.com/2018/11/docker-iptables_12.html sudo iptables -vnL ======NAT===== sudo iptables -t nat -vnL 顯示行數 sudo iptables -t nat -L POSTROUTING -n –line-numbers -D 刪除那行 sudo iptables -t nat -D POSTROUTING x x is which line delete 確認docker網段補上 sudo iptables -t nat -A POSTROUTING -s 172.19.0.0/16 ! -o docker0 -j MASQUERADE

繼續閱讀

restart docker service iptables be reset Docker Basic rule (New Docker maybe change somethings) *nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype –dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype –dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE COMMIT # Completed on Sun Sep 20 17:35:31 2015 # Generated by iptables-save v1.

繼續閱讀

http://blog.pulipuli.info/2011/07/ http://linux.vbird.org/linux_server/0250simple_firewall.php iptables \[-AI 鏈\] \[-io 網路介面\] \[-p tcp,udp\] \\ \> \[-s 來源IP/網域\] \[--sport 埠口範圍\] \\ \> \[-d 目標IP/網域\] \[--dport 埠口範圍\] -j \[ACCEPT|DROP|REJECT\] 選項與參數： \--sport 埠口範圍：限制來源的埠口號碼，埠口號碼可以是連續的，例如 1024:65535 \--dport 埠口範圍：限制目標的埠口號碼。 \[root@www ~\]# iptables -A INPUT \[-m state\] \[--state 狀態\] 選項與參數： \-m ：一些 iptables 的外掛模組，主要常見的有： state ：狀態模組 mac ：網路卡硬體位址 (hardware address) \--state ：一些封包的狀態，主要有： INVALID ：無效的封包，例如資料破損的封包狀態 ESTABLISHED：已經連線成功的連線狀態； NEW ：想要新建立連線的封包狀態； RELATED ：這個最常用！表示這個封包是與我們主機發送出去的封包有關 範例：只要已建立或相關封包就予以通過，只要是不合法封包就丟棄 \[root@www ~\]# iptables -A INPUT -m state \\ \> \--state RELATED,ESTABLISHED -j ACCEPT \[root@www ~\]# iptables -A INPUT -m state --state INVALID -j DROP https://www.

繼續閱讀

1、 http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATSG 1.1、Create instance form ami ：ami-vpc-nat-hvm choese best new ***NAT AMI*** 1.2、 Check．IPv4 forwarding is enabled and ICMP redirects are disabled in /etc/sysctl.d/10-nat-settings.conf IPv4 forwarding =1 Run．A script located at /usr/sbin/configure-pat.sh runs at startup and configures iptables IP masquerading. Here have problem, so must delete POSTROUTING sudo iptables -t nat -D POSTROUTING 1 2、 https://holtstrom.com/michael/blog/post/400/Port-Forwarding-Gateway-via-iptables-on-Linux.html eth0 10.0.0.219 52.78.165.129 eth1 10.0.1.149 web server 10.0.1.249 iptables -vxnL –line-numbers iptables -t nat -vxnL –line-numbers

繼續閱讀