Solution to configure port forwarding for docker to be compatible with firewall on CentOS 7
- 2021-08-21 21:53:30
- OfStack
On CentOS 7, we may encounter the problem of not being able to access container services when we map host ports to container ports with commands similar to the following
docker run --name web_a -p 192.168.1.250:803:80 -d web_a:beta1.0.0 .Since docker injects a rule into iptables to map host 803 to container 80 port when executing this command, iptables is replaced by firewalld service in CentOS 7. Therefore, the port mapping of the above command will not take effect.
Solution: First, observe the network card information on the host under 1, and confirm that a virtual network card of docker0 has been added:
[root@localhost /home]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:5cff:fe0e:82f9 prefixlen 64 scopeid 0x20<link>
ether 02:42:5c:0e:82:f9 txqueuelen 0 (Ethernet)
RX packets 1288 bytes 1561177 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1594 bytes 108755 (106.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.250 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::76f4:9aea:4973:ec6c prefixlen 64 scopeid 0x20<link>
inet6 240e:379:542:2800:8844:77ba:78dd:7 prefixlen 128 scopeid 0x0<global>
inet6 240e:379:542:2811:3ead:218:ba68:38e6 prefixlen 64 scopeid 0x0<global>
ether 74:d4:35:09:93:19 txqueuelen 1000 (Ethernet)
RX packets 10166908 bytes 1221399579 (1.1 GiB)
RX errors 0 dropped 3014 overruns 0 frame 0
TX packets 982334 bytes 427296782 (407.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 18
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1833650 bytes 450567722 (429.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1833650 bytes 450567722 (429.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethecef228: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::f425:f1ff:fe82:9c19 prefixlen 64 scopeid 0x20<link>
ether f6:25:f1:82:9c:19 txqueuelen 0 (Ethernet)
RX packets 234 bytes 1520113 (1.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 613 bytes 39809 (38.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Verify the virtual ip obtained by the container instance using the following command:
docker inspect web_aAssuming that the ip in the container is 172.17. 0.2, we will make an NAT forwarding rule for this IP and let the firewalld service process this rule:
# Host port requests are forwarded to the container (services in the container do not listen localhost You want to listen to the virtual allocated by the container IP Or by 0.0.0.0 Alternative)
firewall-cmd --permanent --zone=public --add-masquerade Enable port NAT Forwarding
# Will host 803 Port requests are forwarded to the 80 Port
firewall-cmd --add-forward-port=port=803:proto=tcp:toaddr=172.17.0.2:toport=80 --permanent
# Overload rule
firewall-cmd --reload
# List all rules
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp2s0
sources:
services: ssh dhcpv6-client
ports: 3306/tcp 80/tcp 21/tcp 5000/tcp 6379/tcp 900/tcp 801/tcp 802/tcp 6000/tcp 5002/tcp 90/tcp 9092/tcp 81/tcp 803/tcp
protocols:
masquerade: yes
forward-ports: port=803:proto=tcp:toport=80:toaddr=172.17.0.2
source-ports:
icmp-blocks:
rich rules:
# Restart docker
systemctl restart docker
# Restart the container
docker start web_aAfter the above operation, the service of port 80 on the container can be accessed by the host IP: 803, and firewalld does not need to be shut down (many online conclusions are that it is replaced by iptables service, which is not needed in actual measurement).
Summarize