启动一个有nat映射端口的容器时iptables 报No chain/target/match by that name
1 | docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper |
找了N多网站和官方issue后,还是没找到真正的解决方法,网上到处转载的只是分析了原因,
并没有明确的解决方案,为此与同事通宵加班终于解决了这个问题
找到系统的/etc/sysconfig/iptables
,如果没有用以下命令保存一下,然后查看里边的内容1
2iptables-save > /etc/sysconfig/iptables
cat /etc/sysconfig/iptables
发现内容如下1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N whitelist
-A whitelist -s 192.168.42.0/24 -j ACCEPT
syn
-N syn-flood
-A INPUT -p tcp --syn -j syn-flood
-I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
-A syn-flood -j REJECT
DOS
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# 省略一些简单的防火墙规则
查看启动容器的报错信息发现-A DOCKER
DOCKER链,但在iptables文件里并没有找到,
由于之前在自己的系统(archlinux)学习使用docker时并没遇到这问题,
所以马上去看了下自己系统里的iptables的文件,
内容如下1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 1521 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49161 -j DNAT --to-destination 172.17.0.3:1521
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49160 -j DNAT --to-destination 172.17.0.3:22
COMMIT
Completed on Sun Sep 20 17:35:31 2015
Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
*filter
:INPUT ACCEPT [139291:461018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127386:5251162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1521 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
Completed on Sun Sep 20 17:35:31 2015
对比后以去掉不相关的规则,以现*nat
规则里有以下的对于docker的配置1
2
3
4
5
6
7
8
9*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
*filter
规则里对docker的配置如下1
2
3
4
5
6
7
8
9
10*filter
:INPUT ACCEPT [139291:461018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127386:5251162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
去掉不相关规则后的配置文件如下(可以直接用):1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23*nat
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
Completed on Sun Sep 20 17:35:31 2015
Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
*filter
:INPUT ACCEPT [139291:461018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [127386:5251162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
Completed on Sun Sep 20 17:35:31 2015
然后再加上自己服务器的过滤规则,合并后覆盖到Centos 7的 /etc/sysconfig/iptables
文件
重启iptables 服务1
systemctl restart iptables.service
两次启动对应docker容器,1
docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper
发现容器启动成功,虽然有警告,但并不影响容器的使用
PS: @孙振树 提供的解决办法: 如果iptables是在docker后安装的,把docker重新安装下就可以了