Linux firewall firewalld does not take effect and cannot intercept Docker mapped ports

Enterprise 2023-07-12 08:21:20 views: null

There is a strange phenomenon today, the firewall on the centos server does not open port 8103, but it can still be accessed

The ports opened by the server are as follows:

image

It can be seen that port 8103 is not open

The open services are as follows:

image

A certain 3D system has not been opened, but it can be accessed normally

image

Restarted the firewall and restarted the server, but this problem has not been resolved. What a pain in the ass! ! !

When executing systemctl status firewalld, I suddenly found such a warning

image 

WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

When the firewall starts, it will delete the rules added by docker to iptables. This is why we often restart the firewalld service and then restart the docker container. This problem can be solved by restarting the docker service. Of course, this is related to our topic today. irrelevant.

At this point, I finally found the reason why the port interception failed, as follows:

When docker run -p starts, it will add rules to iptables. The bottom layer of the firewall is based on iptables, so starting with the -p parameter is equivalent to punching a hole in the firewall.

Because I am controlling port access on the host machine of docker, it is simple and rude to let docker not use iptables directly. The operation is as follows:

vi /usr/lib/systemd/system/docker.service

Add --iptables=false to the file

image 

systemctl daemon-reload
systemctl restart docker

Restart Docker and you're done! ! !

Note: Complete the above steps and use the system firewall to control port access, but there will be no access between docker containers, and the external network cannot be accessed within the container .

Use a NAT-like network method to allow docker to access the external network

firewall-cmd --permanent --zone=public --add-masquerade

Talk about using this method to solve the disadvantages caused by docker ignoring the system firewall problem: the real IP of the client cannot be obtained in the container . Because it is similar to a NAT network, the subnet IP of the docker0 network is often recorded in the nginx log. For some businesses Unable to obtain real IP may not be tolerated, it depends on personal choice.

Guess you like

Origin blog.csdn.net/qq_30665009/article/details/129434833
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com