Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about the relationship between docker and iptables. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. First understand the network mechanism of docker.

Docker has four network modes:

A.host

B.container

C.none

D.bridge

Docker uses namespace in linux to isolate resources, and a docker container allocates a separate network namespace. But if the container uses host, then the container will share a network namespqce with the host, and the container will not virtualize its own network card and configure its own ip, but will use the ip and port of the host

Contianer mode refers to sharing a network namespaces with an existing container. Except for the network, the resources of the two containers are isolated, and the processes of the two containers can communicate through the lo network card device.

In none mode, docker has its own network namespaces, but for any network configuration of docker, we need to add networks and configure ip for the docker container.

Bridge mode is the default network setting for docker. This mode assigns network namespace to each container, sets ip, etc., and connects a host's docker container to a virtual network.

Here is a description of the most commonly used bridge mode

1.1 Topology in bridge mode

As shown in the figure:

When docker deamon starts, a virtual bridge named docker0 is created on the host, and the docker container launched on this host is connected to the virtual bridge. A virtual bridge works like a physical switch.

Docker assigns a different ip address to the docker bridge and container from the host.

Docker0: flags=4163 mtu 1500

Inet 192.168.0.1 netmask 255.255.240.0 broadcast 0.0.0.0

Ether 02:42:a7:07:f4:fc txqueuelen 0 (Ethernet)

RX packets 13612806 bytes 1998086329 (1.8 GiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 17525195 bytes 2961142842 (2.7GiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

You can think of docker0 as the management interface of the bridge

Chain DOCKER (1 references)

Target prot opt source destination

ACCEPT tcp-0.0.0.0 tcp dpt:15672 0 192.168.0.3

ACCEPT tcp-0.0.0.0 tcp dpt:5672 0 192.168.0.3

ACCEPT tcp-0.0.0.0 tcp dpt:6379 0 192.168.0.2

ACCEPT tcp-0.0.0.0 tcp dpt:80 0 192.168.0.4

ACCEPT tcp-0.0.0.0 tcp dpt:80 0 192.168.0.5

ACCEPT tcp-0.0.0.0 tcp dpt:33246 0 192.168.0.6

Above is the IP and port of different container from iptables.

1.2 the process for the newly created docker container to complete the above network configuration is roughly as follows:

First of all, a virtual network card veth pair device is created on the host, which appears in pairs to form a data channel. One end is in container and named eth0, and the other end is placed in the host to veth. Command, using $brctl show as follows:

Bridge name bridge id STP enabled interfaces

Docker0 8000.0242a707f4fc no veth0dca6c1

Veth530a377

Vethb6dcd90

Vethe08439b

Vethe56b601

Vethfc60fba

Then an IP is assigned to container and the ip address of docker0 is set as the default gateway of the container

1.3Container communication in bridge mode

Containers connected under the same bridge in bridge mode can communicate with each other.

The process of sending a packet out of the container: the ip packet will be sent from container to its default gateway docker0, and when the packet arrives at docker0, it will arrive at the host. At this time, it will query the routing table of the host and find that the packet should be sent out from the host's network card eth0. The following iptables rules take effect. Snat the packet and convert the original address to the address of eth0, so that the docker container is not visible to the outside:

-A POSTROUTING-s 172.17.0 MASQUERADE 16!-o docker0-j MASQUERADE

The process of accepting a package by the container requires the port mapping of the host:

Look at ipbtales:

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

DOCKER-ISOLATION all-anywhere anywhere

DOCKER all-anywhere anywhere

ACCEPT all-anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT all-anywhere anywhere

ACCEPT all-anywhere anywhere

DROP all-anywhere anywhere

Dnat the traffic of the corresponding port of the host, and send the traffic to container.

The above is the relationship between docker and iptables shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.