网络基本原理本文会看下ker中容器建立后在宿主机上一些规则配置

dockerdaemonlibvirt建立的[root@dev~]#systemctlstatus[root@dev~]#systemctlstatusdocker.servicedocker.service-DockerApplicationContainerEngineLoaded:loaded(/usr/lib/systemd/system/docker.service;Active:inactive Docs: [root@dev~]#brctlbridgenamebridgeid STPenabledinterfaces [root@dev[root@dev~]#iptables-#Generatedbyiptables-savev1.4.21onThuAug613:40:20:PREROUTINGACCEPT:INPUTACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT[0:0]##CompletedonThuAug613:40:20#Generatedbyiptables-savev1.4.21onThuAug613:40:20:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT-AINPUT-mstate--stateRELATED,ESTABLISHED-j-AINPUT-picmp-j-AINPUT-ilo-j-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-j-AINPUT-jREJECT--reject-withicmp-host--AFORWARD-jREJECT--reject-withicmp-host-prohibited#CompletedonThuAug613:40:20[root@dev[root@dev~]#servicedockerRedirectingto/bin/systemctlstartdocker.service[root@dev~]#brctlshowbridgenamebridgeid STPenabledinterfaces 8000.56847afe9799 [root@dev~]#iplshowdevdocker0:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500noqueuestateDOWNmodelink/etherlink/ether56:84:7a:fe:97:99brd[root@dev[root@dev~]#iptables-#Generatedbyiptables-savev1.4.21onThuAug613:41:52:PREROUTINGACCEPT:INPUTACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT:DOCKER--APREROUTING-maddrtype--dst-typeLOCAL-j-AOUTPUT!-d127.0.0.0/8-maddrtype--dst-typeLOCAL-j-APOSTROUTING-s172.17.0.0/16!-odocker0-jMASQUERADE#CompletedonThuAug613:41:52#Generatedbyiptables-savev1.4.21onThuAug613:41:52:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT:DOCKER--AINPUT-mstate--stateRELATED,ESTABLISHED-j-AINPUT-picmp-j-A-AINPUT-ilo-j-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-j-AINPUT-jREJECT--reject-withicmp-host--AFORWARD-odocker0-j-AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-j-AFORWARD-idocker0-odocker0-j-AFORWARD-jREJECT--reject-withicmp-host-prohibited#CompletedonThuAug613:41:52可以看到在还没启动任何容器的情况下，natfilter这两个表中都添加iptables的一些基会的走：mangle-PREROUTING->nat-PREROUTING->mangle-INPUTfilter-INPUT这个顺序，然后走到接收的应用。如果一个数据包是从本机发送出去的，那么会走：mangle-OUTPUT->nat-OUTPUT->filter-OUTPUT->mangle-POSTROUTING->nat-POSTROUTING这个PREROUTING->nat-PREROUTING->mangle-FORWARD->filter-FORWARDmangle-POSTROUTINGnat-POSTROUTINGdockeriptables规则。也来看三种mangle-PREROUTING->nat-PREROUTINGmangle-INPUTfilter-INPUTnat表中可以看到-APREROUTINGmaddrtypedst-typeLOCALjDOCKER，也就是说addrtypemodule来匹配数据包，如果这个数据包是发给DOCKERDOCKER链是空的。->->里我们看到两条规则-AOUTPUTd127.0.0.0/8maddrtype–dst-LOCALjDOCKER以及-APOSTROUTINGs172.17.0.0/16- ->PREROUTING->mangle-FORWARD->filter-FORWARD->mangle-POSTROUTINGnat-POSTROUTING这个顺序。这里有四条规则是[root@dev[root@dev~]#dockerrun-dit--nametest-os[root@dev[root@dev~]#brctlbridgenamebridgeid STPenabledinterfaces 8000.56847afe9799 [root@dev~]#iplshowdevvethe7cd2e3:vethe7cd2e3:<BROADCAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterdocker0stateUPmodeDEFAULT link/etherf6:b9:36:fb:5b:acbrdff:ff:ff:ff:ff:ff[root@dev~]#ipashowdevvethe7cd2e3:vethe7cd2e3:<BROADCAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterdocker0stateUP link/etherf6:b9:36:fb:5b:acbrd inet6fe80::f4b9:36ff:fefb:5bac/64scope valid_lftforeverpreferred_lftvethtest-osnamespace中。需要注意的是dockernamespace的操作是直接通过套接字发送到内核的，没有像Neutronipip命令能查看到的namespaceipip命令查看[root@dev[root@dev~]#iptables-#Generatedbyiptables-savev1.4.21onThuAug614:12:58:PREROUTINGACCEPT:INPUTACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT:DOCKER--APREROUTING-maddrtype--dst-typeLOCAL-j-AOUTPUT!-d127.0.0.0/8-maddrtype--dst-typeLOCAL-j-APOSTROUTING-s172.17.0.0/16!-odocker0-jMASQUERADE#CompletedonThuAug614:12:58#Generatedbyiptables-savev1.4.21onThuAug614:12:58:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT:DOCKER--AINPUT-mstate--stateRELATED,ESTABLISHED-j-AINPUT-picmp-j-AINPUT-ilo-j-A-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-j-AINPUT-jREJECT--reject-withicmp-host--AFORWARD-odocker0-j-AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-j-AFORWARD-idocker0-odocker0-j-AFORWARD-jREJECT--reject-withicmp-host-prohibited#CompletedonThuAug614:12:58vethnamespace的vethe7cd2e3vethe7cd2e3plugdocker0上的，所以会ipforward，所以这个包会->PREROUTING->mangle-FORWARD->filter-FORWARD->mangle-[root@deviptables--L-ChainPREROUTING ACCEPT6518packets,593756bytes) bytes protopt 316 all-- ADDRTYPEmatchdst-typeChainINPUT ACCEPT4packets,256bytes) bytestarget protoptin ChainOUTPUT ACCEPT58packets,4574bytes) bytestarget protoptin 0 all-- ADDRTYPEmatchtypeChainPOSTROUTING ACCEPT58packets,4574bytes) bytestarget protoptin 168MASQUERADEall--* !docker0172.17.0.0/16 ChainDOCKER(2pktsbytestargetprotoptinoutsourcecache时间造成的。[root@dev~]#ipdefaultvia172.16.1.1devenp0s3protostaticmetricdefaultvia10.0.2.1devenp0s8protostaticmetric.0.2.0/24devenp0s8protokernelscopelinksrc.0.2.0/24devenp0s8protokernelscopelinksrc10.0.2.6metric100.16.1.0/24devenp0s3protokernelscopelinksrc172.16.1.75metric100.17.0.0/16devdocker0protokernelscopelinksrc.168.56.0/24devenp0s9protokernelscopelinksrc192.168.56.200metric100.168.100.0/24devenp0s10protokernelscopelinksrc192.168.100.101metric100.168.122.0/24devvirbr0protokernelscopelinksrc[root@dev[root@dev~]#dockerrun-dit-p8888:80--nametest-os2docker.io/centos/bin/bash[root@dev~]#iptables-#Generatedbyiptables-savev1.4.21onThuAug614:29:18:PREROUTINGACCEPT:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT#CompletedonThuAug614:29:18#Generatedbyiptables-savev1.4.21onThuAug614:29:18:PREROUTINGACCEPT:INPUTACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT:DOCKER--APREROUTING-maddrtype--dst-typeLOCAL-j-AOUTPUT!-d127.0.0.0/8-maddrtype--dst-typeLOCAL-j-APOSTROUTING-s172.17.0.0/16!-odocker0-j-APOSTROUTING-s172.17.0.6/32-d172.17.0.6/32-ptcp-m--dport80-j-ADOCKER!-idocker0-ptcp-mtcp--dport8888-jDNAT--to-destination172.17.0.6:80##CompletedonThuAug614:29:18#Generatedbyiptables-savev1.4.21onThuAug614:29:18:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT:DOCKER--AINPUT-mstate--stateRELATED,ESTABLISHED-j-AINPUT-picmp-j-AINPUT-ilo-j-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-j-AINPUT-jREJECT--reject-withicmp-host--AFORWARD-odocker0-j-AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-j-AFORWARD-idocker0-odocker0-j-AFORWARD-jREJECT--reject-withicmp-host--ADOCKER-d172.17.0.6/32!-idocker0-odocker0-ptcp-mtcp--dport80-jACCEPT#CompletedonThuAug614:29:18可以看到这里多了很多和、8相关的规则，我们来分析下。首先来看一个数据包需要从容器发送到公网的情况，此时会走转发的逻辑，也就是我们上面说的mangle-NG->t-G->mangle-FORWARDfilter-FORWARDmangle-POSTROUTINGnat-PREROUTINGDOCKER的链，DOCKER链!-idocker0这个要求使得这个数据包没有被匹配上，于是就继续走剩余的规则。filterFORWARD也没有匹配的，于是最后nat-POSTROUTINGSNAT出去了。现在来看下公网访8888nat-PREROUTING，然后匹配上了-A