webportal 测试环境 iptables规则

一、目前现有的iptables nat表规则：

[root@mcluster-webportal-node2 ~]# iptables -t nat -S
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER 
-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE 
-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE 
-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE 
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 18000 -j DNAT --to-destination 172.17.0.26:8000 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 28000 -j DNAT --to-destination 172.17.0.27:8000 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 18001 -j DNAT --to-destination 172.17.0.29:8001 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 28001 -j DNAT --to-destination 172.17.0.30:8001 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 38001 -j DNAT --to-destination 172.17.0.34:8001 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 48001 -j DNAT --to-destination 172.17.0.37:8001 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 38081 -j DNAT --to-destination 172.17.0.38:8081 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 38080 -j DNAT --to-destination 172.17.0.39:8080 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 50022 -j DNAT --to-destination 172.17.0.38:22 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 18080 -j DNAT --to-destination 172.17.0.53:8080 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 28080 -j DNAT --to-destination 172.17.0.54:8080 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 28081 -j DNAT --to-destination 172.17.0.55:8081 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 18081 -j DNAT --to-destination 172.17.0.56:8081 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 21022 -j DNAT --to-destination 172.17.0.56:22 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 22022 -j DNAT --to-destination 172.17.0.55:22 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 23022 -j DNAT --to-destination 172.17.0.53:22 
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 24022 -j DNAT --to-destination 172.17.0.54:22

二、添加删除指定规则链
1.查看相应规则的对应number

Chain PREROUTING (policy ACCEPT 5011 packets, 232K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      445 26784 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type LOCAL 

Chain POSTROUTING (policy ACCEPT 397 packets, 25359 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    4477K  269M MASQUERADE  all  --  *      *       172.17.0.0/16       !172.17.0.0/16       
2      102  6188 MASQUERADE  all  --  *      *       172.17.0.0/16       !172.17.0.0/16       
3        0     0 MASQUERADE  all  --  *      *       172.17.0.0/16       !172.17.0.0/16       

Chain OUTPUT (policy ACCEPT 358 packets, 23019 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        1    60 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8         ADDRTYPE match dst-type LOCAL 

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    18127 1078K DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18000 to:172.17.0.26:8000 
2    18082 1076K DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28000 to:172.17.0.27:8000 
3     1329 78652 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18001 to:172.17.0.29:8001 
4     1219 72316 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28001 to:172.17.0.30:8001 
5       18   936 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:38001 to:172.17.0.34:8001 
6       93  4836 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:48001 to:172.17.0.37:8001 
7       92  4728 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:38081 to:172.17.0.38:8081 
8       18   912 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:38080 to:172.17.0.39:8080 
9        4   208 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:50022 to:172.17.0.38:22 
10      24  1248 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18080 to:172.17.0.53:8080 
11      47  2444 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28080 to:172.17.0.54:8080 
12       2   104 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:28081 to:172.17.0.55:8081 
13       0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:18081 to:172.17.0.56:8081 
14       3   156 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21022 to:172.17.0.56:22 
15       4   208 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22022 to:172.17.0.55:22 
16       2   104 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23022 to:172.17.0.53:22 
17       2   104 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:24022 to:172.17.0.54:22 

2.删除
如删除下面这条规则

14       3   156 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21022 to:172.17.0.56:22

使用如下命令即可：
iptables -t nat -D DOCKER 14

3.新增一条规则

如将宿主机的25022 port的请求转发至ip为172.17.0.58这个container的22 port上，命令如下：
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 25022 -j DNAT --to-destination 172.17.0.58:22

posted on 2014-12-09 10:48 漫漫运维路阅读(564) 评论(0) 收藏举报