Networking Docker是否在网桥网络的iptables中自动执行IP伪装规则?
我在QNAP raid机器上运行了Networking Docker是否在网桥网络的iptables中自动执行IP伪装规则?,networking,docker,iptables,qnap,Networking,Docker,Iptables,Qnap,我在QNAP raid机器上运行了docker-1.9.1。它具有默认的网桥网络,使用子网10.0.3.0/24。在iptables中,我在nat表中看到一条规则: -A postfrouting-s10.0.3.0/24-d 10.0.3.0/24-j化妆舞会 我假设Docker自己创造了这个规则 我创建了一个新的网桥网络: docker network create \ --gateway=10.0.5.1 \ --subnet=10.0.5.0/24 \ -o "com.docker.ne
docker-1.9.1网桥10.0.3.0/24nat-A postfrouting-s10.0.3.0/24-d 10.0.3.0/24-j化妆舞会docker network create \
--gateway=10.0.5.1 \
--subnet=10.0.5.0/24 \
-o "com.docker.network.bridge.host_binding_ipv4"="0.0.0.0" \
-o "com.docker.network.bridge.enable_icc"="true" \
-o "com.docker.network.driver.mtu"="1500" \
-o "com.docker.network.bridge.name"="lxcbr1" \
-o "com.docker.network.bridge.enable_ip_masquerade"="true" \
isolated_nw
# docker --version
Docker version 1.9.1, build 7206621
# iptables -t nat -S | grep 10.0.5.0
<no result>
docker network create \
--gateway=10.0.5.1 \
--subnet=10.0.5.0/24 \
-o "com.docker.network.bridge.host_binding_ipv4"="0.0.0.0" \
-o "com.docker.network.bridge.enable_icc"="true" \
-o "com.docker.network.driver.mtu"="1500" \
-o "com.docker.network.bridge.name"="lxcbr1" \
-o "com.docker.network.bridge.enable_ip_masquerade"="true" \
isolated_nw
[/share/Containers] # docker --version
Docker version 1.9.1, build 147ce3e
[/share/Containers] # iptables -t nat -S | grep 10.0.5.0
[/share/Containers] # docker network create \
> --gateway=10.0.5.1 \
> --subnet=10.0.5.0/24 \
> -o "com.docker.network.bridge.host_binding_ipv4"="0.0.0.0" \
> -o "com.docker.network.bridge.enable_icc"="true" \
> -o "com.docker.network.driver.mtu"="1500" \
> -o "com.docker.network.bridge.name"="lxcbr1" \
> -o "com.docker.network.bridge.enable_ip_masquerade"="true" \
> isolated_nw
a7b5c938008169f32fcdfc1d9409716b725cc916b30f472ac6ec2a1d71fb77f0
[/share/Containers] # iptables -t nat -S | grep 10.0.5.0
[/share/Containers] # iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
[/share/Containers] #
docker network create \
--gateway=10.0.5.1 \
--subnet=10.0.5.0/24 \
-o "com.docker.network.bridge.host_binding_ipv4"="0.0.0.0" \
-o "com.docker.network.bridge.enable_icc"="true" \
-o "com.docker.network.driver.mtu"="1500" \
-o "com.docker.network.bridge.name"="lxcbr1" \
-o "com.docker.network.bridge.enable_ip_masquerade"="true" \
isolated_nw
# docker --version
Docker version 1.9.1, build 7206621
# iptables -t nat -S | grep 10.0.5.0
<no result>
docker network create \
--gateway=10.0.5.1 \
--subnet=10.0.5.0/24 \
-o "com.docker.network.bridge.host_binding_ipv4"="0.0.0.0" \
-o "com.docker.network.bridge.enable_icc"="true" \
-o "com.docker.network.driver.mtu"="1500" \
-o "com.docker.network.bridge.name"="lxcbr1" \
-o "com.docker.network.bridge.enable_ip_masquerade"="true" \
isolated_nw
# iptables -t nat -S | grep 10.0.5.0
-A POSTROUTING -s 10.0.5.0/24 ! -o lxcbr1 -j MASQUERADE
docker network rm isolated_nwiptables-t nat-SnatDOCKER# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 10.0.5.0/24 ! -o lxcbr1 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
create networkDOCKERError response from daemon: Failed to program NAT chain: Failed to
inject docker in PREROUTING chain: iptables failed: iptables --wait
-t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER: iptables
v1.4.21: Couldn't load target `DOCKER':No such file or directory
你知道“创建你自己的网桥网络”吗?我在那个页面上用了一些例子来创建我自己的网络。看起来它不包括ip伪装或iptables。它…实际上是。您可以在我的回答中看到我运行的命令的实际顺序。或者你可以看这个,这是我运行相同测试的一个实际会话:我的意思是,除了配置选项
com.docker.network.bridge.enable\u ip\u masqueradenat