防火牆與iptables
阿新 • • 發佈:2020-10-09
root@ubuntu:~# iptables -t nat -A POSTROUTING -s 10.10.104.83/32 -o enahisic2i0 -j MASQUERADE root@ubuntu:~# iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 19 packets, 878 bytes) pkts bytes target prot opt in out source destination 12 1272 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 1 packets, 78 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/160.0.0.0/0 0 0 MASQUERADE all -- * enahisic2i0 10.10.104.83 0.0.0.0/0 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 root@ubuntu:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.10.16.254 0.0.0.0 UG 0 0 0 enahisic2i0 10.10.16.0 0.0.0.0 255.255.255.0 U 0 0 0 enahisic2i0 10.10.104.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr1 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 root@ubuntu:~# ufw status Status: inactive
這條規則沒有生效,而且防火牆處於inactive狀態
root@ubuntu:~# cat /proc/net/nf_conntrack cat: /proc/net/nf_conntrack: No such file or directory root@ubuntu:~#
執行ufw disable可以了
root@ubuntu:~# ufw disable Firewall stopped and disabled on system startup root@ubuntu:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N DOCKER-USER -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT root@ubuntu:~# cat /proc/net/nf_conntrack cat: /proc/net/nf_conntrack: No such file or directory root@ubuntu:~# iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 378 packets, 21207 bytes) pkts bytes target prot opt in out source destination 12 1272 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 8 packets, 976 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 1 60 MASQUERADE all -- * enahisic2i0 10.10.104.83 0.0.0.0/0 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 root@ubuntu:~#