centos7 docker配置防火墙firewalld

Posted 2020-11-27 jiba

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了centos7 docker配置防火墙firewalld相关的知识，希望对你有一定的参考价值。

docker防火墙使用的是底层iptables，封装后的firewalld默认不无效

如果想要使用firewalld，需要做以下调整：

让firewalld移除DOCKER-USER并新建一个

```bash
# Removing DOCKER-USER CHAIN (it won‘t exist at first)
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER

# Flush rules from DOCKER-USER chain (again, these won‘t exist at first; firewalld seems to remember these even if the chain is gone)
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER

# Add the DOCKER-USER chain to firewalld
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
```

加上你想要的规则，注意reject放在最后

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -j ACCEPT -m comment --comment "allows incoming from docker"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -o eth0 -j ACCEPT -m comment --comment "allows docker to eth0"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "allows docker containers to connect to the outside world"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j RETURN -s 172.17.0.0/16 -m comment --comment "allow internal docker communication"

## 你可以直接允許來自特定 IP 的所有流量
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -s 61.222.3.133/32 -j ACCEPT 
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j REJECT --reject-with icmp-host-unreachable -m comment --comment "reject all other traffic"

最后reload，并通过iptables -L确认是否正确生效

firewall-cmd --reload

参考链接：

https://holywhite.com/archives/489

以上是关于centos7 docker配置防火墙firewalld的主要内容，如果未能解决你的问题，请参考以下文章

Centos7 开放防火墙端口命令

centos7 docker配置防火墙firewalld

iptables详解与Centos7 关闭防火墙

firewalld

Docker 上部署一主两从Hadoop集群 | [Centos7]

docker：CentOS安装docker