0%

docker的流量在iptables下的流向

DOCKER%20IPTABLES/Untitled.png

docker容器流量流向分析

一、实验:docker容器 curl 外网

在docker容器中 curl www.baidu.com

1.1、流出的数据包

DOCKER容器内:OUTPUT → POSTROUTING → 宿主机中:PREROUTING → FORWARD → POSTROUTING (在宿主机内,由docker0网卡流入,ens192网卡流出)

容器内监听

iptables -t raw -I OUTPUT -p tcp -d 39.156.66.14 -j ACCEPT
iptables -t mangle -I POSTROUTING -p tcp -d 39.156.66.14 -j ACCEPT

DOCKER%20IPTABLES/Untitled%201.png

宿主机内监听

iptables -t raw -I PREROUTING -p tcp -i docker0 -d 39.156.66.14 -j ACCEPT

iptables -t mangle -I FORWARD -p tcp -i docker0 -o docker0 -d 39.156.66.14 -j ACCEPT
iptables -t mangle -I FORWARD -p tcp -i docker0 -o ens192 -d 39.156.66.14 -j ACCEPT

iptables -t mangle -I POSTROUTING -p tcp -o docker0 -d 39.156.66.14 -j ACCEPT
iptables -t mangle -I POSTROUTING -p tcp -o ens192 -d 39.156.66.14 -j ACCEPT

DOCKER%20IPTABLES/Untitled%202.png

ICMP 情况

容器内监听规则

iptables -t raw -I OUTPUT -p icmp -d 39.156.66.14 -j ACCEPT
iptables -t mangle -I POSTROUTING -p icmp -d 39.156.66.14 -j ACCEPT

DOCKER%20IPTABLES/Untitled%203.png

在宿主机中监听

iptables -t raw -I PREROUTING -p icmp -d 39.156.66.14 -j ACCEPT
iptables -t mangle -I FORWARD -p icmp -d 39.156.66.14 -j ACCEPT
iptables -t mangle -I POSTROUTING -p icmp -d 39.156.66.14 -j ACCEPT

DOCKER%20IPTABLES/Untitled%204.png

1.2、流入的数据包

宿主机内:PREROUTING → FORWARD → POSTROUTING → 容器内:PREROUTING → INPUT (在宿主机内,由ens192流入,docker0流出)

先看容器内收到的报文数量为7

宿主机监听

iptables -t raw -I PREROUTING -p tcp -i ens192 -s 39.156.66.14 -j ACCEPT
iptables -t raw -I PREROUTING -p tcp -i docker0 -s 39.156.66.14 -j ACCEPT

iptables -t mangle -I FORWARD -p tcp -i ens192 -o ens192 -s 39.156.66.14 -j ACCEPT
iptables -t mangle -I FORWARD -p tcp -i ens192 -o docker0 -s 39.156.66.14 -j ACCEPT
iptables -t mangle -I FORWARD -p tcp -i docker0 -o ens192 -s 39.156.66.14 -j ACCEPT
iptables -t mangle -I FORWARD -p tcp -i docker0 -o docker0 -s 39.156.66.14 -j ACCEPT

iptables -t mangle -I POSTROUTING -p tcp -o docker0 -s 39.156.66.14 -j ACCEPT
iptables -t mangle -I POSTROUTING -p tcp -o ens192 -s 39.156.66.14 -j ACCEPT

DOCKER%20IPTABLES/Untitled%205.png

容器内监听

iptables -t raw -I PREROUTING -p tcp -i eth0 -s 39.156.66.14 -j ACCEPT
iptables -t mangle -I INPUT -p tcp -i eth0 -s 39.156.66.14 -j ACCEPT

DOCKER%20IPTABLES/Untitled%206.png

二、实验:docker容器 ping 宿主机

docker ping 宿主机

2.1、流入流量

docker容器:OUPUT → POSTROUTING → 宿主机:PREROUTING → INPUT

容器中:

iptables -t raw -I OUTPUT -s 172.17.0.2 -j ACCEPT
iptables -t mangle -I POSTROUTING -s 172.17.0.2 -j ACCEPT

DOCKER%20IPTABLES/Untitled%207.png

宿主机:

iptables -t raw -I PREROUTING -i docker0 -s 172.17.0.2 -j ACCEPT
iptables -t mangle  -I INPUT -i docker0 -s 172.17.0.2 -j ACCEPT
iptables -t raw -I PREROUTING -i ens192 -s 172.17.0.2 -j ACCEPT
iptables -t mangle  -I INPUT -i ens192 -s 172.17.0.2 -j ACCEPT

DOCKER%20IPTABLES/Untitled%208.png

2.2、流出流量

宿主机:OUTPUT → POSTROUTING → docker容器内:PREROUTING → INPUT

宿主机

iptables -t raw -I OUTPUT -o ens192 -j ACCEPT
iptables -t raw -I OUTPUT -o docker0 -j ACCEPT

iptables -t mangle -I POSTROUTING -o ens192 -j ACCEPT
iptables -t mangle -I POSTROUTING -o docker0 -j ACCEPT

DOCKER%20IPTABLES/Untitled%209.png

容器内

iptables -t raw -I PREROUTING -j ACCEPT
iptables -t mangle -I INPUT -j ACCEPT

DOCKER%20IPTABLES/Untitled%2010.png

三、实验:主机 ping docker容器

主机ping docker

3.1、流出流量

宿主机: OUTPUT→ POSTROUTING → 容器内:PREROUTING → INPUT

宿主机

iptables -t raw -I OUTPUT -o docker0 -d 172.17.0.2 -j ACCEPT
iptables -t raw -I OUTPUT -o ens192 -d 172.17.0.2 -j ACCEPT

iptables -t mangle -I POSTROUTING -o docker0 -d 172.17.0.2 -j ACCEPT
iptables -t mangle -I POSTROUTING -o ens192 -d 172.17.0.2 -j ACCEPT

DOCKER%20IPTABLES/Untitled%2011.png

3.2、流入流量

容器内:OUTPUT → POSTROUTING → 宿主机:PREROUTING → INPUT

宿主机

iptables -t raw -I PREROUTING -i docker0 -s 172.17.0.2 -j ACCEPT
iptables -t mangle -I INPUT -i docker0 -s 172.17.0.2 -j ACCEPT
iptables -t raw -I PREROUTING -i ens192 -s 172.17.0.2 -j ACCEPT
iptables -t mangle -I INPUT -i ens192 -s 172.17.0.2 -j ACCEPT

DOCKER%20IPTABLES/Untitled%2012.png

四、实验:docker 容器 ping docker容器

docker 容器 ping docker 容器

t1容器内:OUTPUT → POSTROUTING → 宿主机内: PREROUTING → FORWARD → POSTROUTING → t2容器内:PREROUTING → INPUT

t1 容器

iptables -t raw -I OUTPUT -d 172.17.0.3 -j ACCEPT
iptables -t mangle -I POSTROUTING -d 172.17.0.3 -j ACCEPT

DOCKER%20IPTABLES/Untitled%2013.png

宿主机内

iptables -t raw -I PREROUTING -s 172.17.0.2 -d 172.17.0.3 -i docker0 -j ACCEPT
iptables -t mangle -I FORWARD -s 172.17.0.2 -d 172.17.0.3 -i docker0 -o docker0 -j ACCEPT
iptables -t mangle -I POSTROUTING -s 172.17.0.2 -d 172.17.0.3 -o docker0 -j ACCEPT

DOCKER%20IPTABLES/Untitled%2014.png

By o1hy : blog.o1hy.com