1. 環(huán)境說明

該環(huán)境安裝了docker ，并啟動了一個容器做了端口映射

iptables 里raw、mangle 表都是空的

// docker 容器

docker ps| grep 43040d1aba46

43040d1aba46 aylei/aliyun-exporter:0.3.1 "python -u /usr/loca…" 2 months ago Up 2 months 9522/tcp, 0.0.0.0:9525->9525/tcp gallant_lumiere

// iptables filter 表 配置

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain FORWARD (policy DROP)

target prot opt source destination         

DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0           

DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

DOCKER all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

Chain DOCKER (1 references)

target prot opt source destination         

ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:9525

Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target prot opt source destination         

DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target prot opt source destination         

DROP all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-USER (1 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0     

// iptables nat 表配置

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain FORWARD (policy DROP)

target prot opt source destination         

DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0           

DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

DOCKER all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

Chain DOCKER (1 references)

target prot opt source destination         

ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:9525

Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target prot opt source destination         

DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target prot opt source destination         

DROP all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-USER (1 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

[root@yunwei_jenkins-dev_1 ~]# iptables -t nat -nL

Chain PREROUTING (policy ACCEPT)

target prot opt source destination         

DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination         

MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0           

MASQUERADE tcp -- 172.17.0.6 172.17.0.6 tcp dpt:9525

Chain DOCKER (2 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9525 to:172.17.0.6:9525

2. 數(shù)據(jù)如何經(jīng)過iptables

接著來梳理，數(shù)據(jù)經(jīng)過iptables 是如何處理的。首先需要了解iptables 的組成：
iptables 有4表（raw、mangle、nat、filter）5鏈（prerouting、input、forward、output、postrouting），數(shù)據(jù)經(jīng)過iptables 需要按順序經(jīng)過5鏈進行處理?？聪聢D：

image.png

1、首先數(shù)據(jù)經(jīng)過prerouting表，由于 raw、mangle表都為空，所以可以直接看nat表的prerouting 鏈：

從這里可以看到通過nat表中的prerouting鏈，將所有訪問本地地址的數(shù)據(jù)都匹配到Docker 鏈；

而Docker 這里有DNAT 規(guī)則，將訪問宿主機 9525端口的數(shù)據(jù)轉(zhuǎn)發(fā)到 172.17.0.6:9525

// nat 表

# iptables -t nat -nL   

Chain PREROUTING (policy ACCEPT)

target prot opt source destination         

DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination         

MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0           

MASQUERADE tcp -- 172.17.0.6 172.17.0.6 tcp dpt:9525

Chain DOCKER (2 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9525 to:172.17.0.6:9525

2、再到input鏈，其中mangle表為空，直接看nat、filter表中的input鏈：

從【1】可以看到nat 中input鏈以及filter表的input鏈都沒做任何規(guī)則

// filter表

# iptables -t filter -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination         

Chain FORWARD (policy DROP)

target prot opt source destination         

DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0           

DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

DOCKER all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)

target prot opt source destination         

Chain DOCKER (1 references)

target prot opt source destination         

ACCEPT tcp -- 0.0.0.0/0 172.17.0.6 tcp dpt:9525

Chain DOCKER-ISOLATION-STAGE-1 (1 references)

target prot opt source destination         

DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)

target prot opt source destination         

DROP all -- 0.0.0.0/0 0.0.0.0/0           

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

Chain DOCKER-USER (1 references)

target prot opt source destination         

RETURN all -- 0.0.0.0/0 0.0.0.0/0           

3、再接著到output鏈，raw、mangle為空，直接查看nat、filter表中的output 鏈

從上可以看到 nat 表中的output鏈將所有目的地址為非環(huán)回地址的本地地址數(shù)據(jù)匹配到Docker鏈，然后重復(fù)DNAT；

再到filter表中的output鏈沒有做任何規(guī)則

4、 最后到postrouting 鏈，mangle 為空，nat 表將目標地址為0.0.0.0 數(shù)據(jù)通過SNAT做動態(tài)轉(zhuǎn)發(fā)出去，而目標地址為172.17.0.6 的則轉(zhuǎn)發(fā)到9525 端口

PS：
這是經(jīng)過朋友的講解和自己一些理解，如有錯誤請指正。