先介绍下我的使用环境：
操作系统：CentOS7.9
Docker版本：20.10.21
事情是这样的，安装完Docker的时候，容器镜像都跑起来了，端口也放行了，就是无法控制系统防火墙friewalld,查看firewalld状态报错

[root@dapaodocker ~]# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-01-28 14:53:05 CST; 17min ago
Docs: man:firewalld(1)
Main PID: 15031 (firewalld)
Tasks: 2
Memory: 28.0M
CGroup: /system.slice/firewalld.service
└─15031 /usr/bin/python2 -Es /usr/sbin/firewalld –nofork –nopid

Jan 28 14:53:05 dapaodocker systemd[1]: Starting firewalld – dynamic firewall daemon…
Jan 28 14:53:05 dapaodocker systemd[1]: Started firewalld – dynamic firewall daemon.
Jan 28 14:53:05 dapaodocker firewalld[15031]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jan 28 14:53:06 dapaodocker firewalld[15031]: WARNING: COMMAND_FAILED: ‘/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP’ failed: iptables: Bad rule (does a matching rule exist in that chain?).

查看系统防火墙的规则如下：

[root@dapaodocker ~]# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 20/tcp 21/tcp 22/tcp 80/tcp 443/tcp 39000-40000/tcp 8888/tcp 5000/tcp 8099/tcp 28000-65534/tcp 27017/tcp 801/tcp 9200/tcp 9300/tcp 9100/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.157″ port port=”5601″ protocol=”tcp” accept

可以看到，我是只允许192.168.1.157访问我这台服务器的5601端口的，但是局域网内同一个网组里其他机器也正常访问，完全背离了我的初衷。

查看了资料发现Docker和之前的旧版本的Firewalld还有不兼容的情景，
1、打开配置文件，使用VIM
vim /lib/systemd/system/docker.service
将

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

修改为:

ExecStart=/usr/bin/dockerd -H fd:// --iptables=false --containerd=/run/containerd/containerd.sock

2、重启系统防火墙

systemctl stop firewalld
systemctl start firewalld

3、重启docker

systemctl daemon-reload
systemctl restart docker

让同一局域网里的同事访问下

解决了多年的困惑，再也不纠结这个事情了。愉快的玩转Docker吧