Docker 尽管有iptables,我还是可以访问谷歌云上的80端口——为什么?
我正在运行google云容器实例(cos-beta-70-11021-29-0)和nginx:Docker 尽管有iptables,我还是可以访问谷歌云上的80端口——为什么?,docker,google-cloud-platform,google-compute-engine,iptables,Docker,Google Cloud Platform,Google Compute Engine,Iptables,我正在运行google云容器实例(cos-beta-70-11021-29-0)和nginx: docker run——名称xx-d-p80:80nginx 尽管端口80未在iptables中打开,我仍可以访问nginx欢迎页面: $ sudo iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N DOCKER -N DOCKER-ISOLATION-STAGE-1 -N DOCKER-ISOLATION-STAGE-2 -N D
docker run——名称xx-d-p80:80nginx$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
为什么会这样?为了公开端口,您必须将内部docker网络与外部docker网络通信,因此docker将自己的
docker-p80:80-码头工人-d172.17.0.2/32-i docker0-o docker0-p tcp-m tcp--dport 80-j ACCEPT--iptables=false/etc/default/docker/etc/systemd/system/docker.service.d按本地主机访问欢迎页面:80?否,访问