先介绍下我的使用环境:
操作系统:CentOS7.9
Docker版本:20.10.21
事情是这样的,安装完Docker的时候,容器镜像都跑起来了,端口也放行了,就是无法控制系统防火墙friewalld,查看firewalld状态报错
[root@dapaodocker ~]# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-01-28 14:53:05 CST; 17min ago
Docs: man:firewalld(1)
Main PID: 15031 (firewalld)
Tasks: 2
Memory: 28.0M
CGroup: /system.slice/firewalld.service
└─15031 /usr/bin/python2 -Es /usr/sbin/firewalld –nofork –nopid
Jan 28 14:53:05 dapaodocker systemd[1]: Starting firewalld – dynamic firewall daemon…
Jan 28 14:53:05 dapaodocker systemd[1]: Started firewalld – dynamic firewall daemon.
Jan 28 14:53:05 dapaodocker firewalld[15031]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jan 28 14:53:06 dapaodocker firewalld[15031]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
查看系统防火墙的规则如下:
[root@dapaodocker ~]# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 20/tcp 21/tcp 22/tcp 80/tcp 443/tcp 39000-40000/tcp 8888/tcp 5000/tcp 8099/tcp 28000-65534/tcp 27017/tcp 801/tcp 9200/tcp 9300/tcp 9100/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.157″ port port=”5601″ protocol=”tcp” accept
可以看到,我是只允许192.168.1.157访问我这台服务器的5601端口的,但是局域网内同一个网组里其他机器也正常访问,完全背离了我的初衷。
查看了资料发现Docker和之前的旧版本的Firewalld还有不兼容的情景,
1、打开配置文件,使用VIM
vim /lib/systemd/system/docker.service
将
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
修改为:
ExecStart=/usr/bin/dockerd -H fd:// --iptables=false --containerd=/run/containerd/containerd.sock
2、重启系统防火墙
systemctl stop firewalld
systemctl start firewalld
3、重启docker
systemctl daemon-reload
systemctl restart docker
让同一局域网里的同事访问下
解决了多年的困惑,再也不纠结这个事情了。愉快的玩转Docker吧
