centos7 iptables/firewalld docker open port

发布时间:2017-7-1 11:28:45编辑:www.fx114.net 分享查询网我要评论
本篇文章主要介绍了"centos7 iptables/firewalld docker open port ",主要涉及到centos7 iptables/firewalld docker open port 方面的内容,对于centos7 iptables/firewalld docker open port 感兴趣的同学可以参考一下。

centos7 iptables/firewalld docker open port

here are multiple "hackish" ways to do it:

    scan kernel logs, as mentioned by Jiri (but you have to do it right after starting the container, otherwise it gets messy);
    check the interface counters (sent/received packets/bytes) in the container, then compare with the interfaces in the host, and find the pair that matches exactly (but with sent and receive directions flipped);
    use an iptables LOG rule.

The last option is, IMHO, the more reliable one (and the easiest to use), but it's still very hackish. The idea is very simple:

    Add an iptables rule to log e.g. ICMP traffic arriving on the Docker bridge:

    sudo iptables -I INPUT -i docker0 -p icmp -j LOG

    Send a ping to the container you want to identify:

    IPADDR=$(docker inspect -f='{{.NetworkSettings.IPAddress}}' d6ed83a8e282)

    ping -c 1 $IPADDR

    Check kernel logs:

    dmesg | grep $IPADDR

    You will see a line looking like this:

    […] IN=docker0 OUT= PHYSIN=vethv94jPK MAC=fe:2c:7f:2c:ab:3f:42:83:95:74:0b:8f:08:00 SRC= …

    If you want to be fancy, just extract PHYSIN=… with awk or sed.

    Remove the iptables logging rule (unless you want to leave it there because you will regularly ping containers to identify them).

   iptables -I INPUT -i docker0 -p tcp --dport 9200  -j ACCEPT

上一篇:iptables 详解