How to configure port forwarding for docker on CentOS 7 to be compatible with firewall

How to configure port forwarding for docker on CentOS 7 to be compatible with firewall

On CentOS 7, when we map the host port to the container port with a command similar to the following, we may encounter the problem of being unable to access the container service.

docker run --name web_a -p 192.168.1.250:803:80 -d web_a:beta1.0.0 .

When Docker executes this command, it injects a rule into iptables to map host port 803 to container port 80. However, in CentOS 7, iptables is replaced by the firewalld service. Therefore, the port mapping in the above command will not take effect.

Solution: First, check the network card information on the host and confirm that a virtual network card of docker0 has been added:

[root@localhost /home]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
    inet6 fe80::42:5cff:fe0e:82f9 prefixlen 64 scopeid 0x20<link>
    ether 02:42:5c:0e:82:f9 txqueuelen 0 (Ethernet)
    RX packets 1288 bytes 1561177 (1.4 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 1594 bytes 108755 (106.2 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet 192.168.1.250 netmask 255.255.255.0 broadcast 192.168.1.255
    inet6 fe80::76f4:9aea:4973:ec6c prefixlen 64 scopeid 0x20<link>
    inet6 240e:379:542:2800:8844:77ba:78dd:7 prefixlen 128 scopeid 0x0<global>
    inet6 240e:379:542:2811:3ead:218:ba68:38e6 prefixlen 64 scopeid 0x0<global>
    ether 74:d4:35:09:93:19 txqueuelen 1000 (Ethernet)
    RX packets 10166908 bytes 1221399579 (1.1 GiB)
    RX errors 0 dropped 3014 overruns 0 frame 0
    TX packets 982334 bytes 427296782 (407.5 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
    device interrupt 18

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
    inet 127.0.0.1 netmask 255.0.0.0
    inet6 ::1 prefixlen 128 scopeid 0x10<host>
    loop txqueuelen 1000 (Local Loopback)
    RX packets 1833650 bytes 450567722 (429.6 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 1833650 bytes 450567722 (429.6 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vethecef228: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
    inet6 fe80::f425:f1ff:fe82:9c19 prefixlen 64 scopeid 0x20<link>
    ether f6:25:f1:82:9c:19 txqueuelen 0 (Ethernet)
    RX packets 234 bytes 1520113 (1.4 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 613 bytes 39809 (38.8 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Use the following command to confirm the virtual IP obtained by the container instance:

docker inspect web_a

Assuming that the IP in the container is 172.17.0.2, we will create a NAT forwarding rule for this IP and let the firewalld service handle this rule:

#Host port request is forwarded to the container (the service in the container should not listen to localhost but to the virtual IP assigned by the container or replace it with 0.0.0.0)
firewall-cmd --permanent --zone=public --add-masquerade Enable port NAT forwarding #Forward the host port 803 request to port 80 on the container firewall-cmd --add-forward-port=port=803:proto=tcp:toaddr=172.17.0.2:toport=80 --permanent
#Reload rules firewall-cmd --reload
#List all rules firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: enp2s0
 sources:
 services: ssh dhcpv6-client
 ports: 3306/tcp 80/tcp 21/tcp 5000/tcp 6379/tcp 900/tcp 801/tcp 802/tcp 6000/tcp 5002/tcp 90/tcp 9092/tcp 81/tcp 803/tcp
 Protocols:
 masquerade: yes
 forward-ports: port=803:proto=tcp:toport=80:toaddr=172.17.0.2
 source-ports:
 icmp-blocks:
 Rich rules:
#Restart Docker
systemctl restart docker
#Restart the container docker start web_a

After the above operations, you can access the service on port 80 on the container with the host IP:803, and there is no need to shut down firewalld (many conclusions on the Internet are to replace it with iptables service, but it is not necessary in actual tests).

Summarize

This is the end of this article about how to configure port forwarding for docker on CentOS 7 to be compatible with firewall. For more information about configuring port forwarding for docker to be compatible with firewall, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:
  • Troubleshooting process for Docker container suddenly failing to connect after port mapping
  • How to bind Docker container to external IP and port
  • Add port mapping after docker container starts
  • How to set port mapping for running container in Docker
  • Detailed explanation of docker dynamically mapping running container ports
  • Docker port mapping in detail

<<:  Vertical and horizontal splitting of MySQL tables

>>:  How to connect to MySQL using C++

Recommend

Installation of various versions of MySQL 8.0.18 and problems encountered during installation (essence summary)

Summary: Problem solving records of MYSQL: No mat...

Analysis of MySQL duplicate index and redundant index examples

This article uses examples to describe MySQL dupl...

Basic usage details of Vue componentization

Table of contents 1. What is componentization? 2....

js to realize the mouse following game

This article shares the specific code of js to im...

Solution to the timeout problem when installing docker-compose with PIP

1: Installation command pip install docker-compos...

Analysis of the principles and usage of Linux hard links and soft links

In the Linux system, there is a kind of file call...

Detailed analysis of replication in Mysql

1.MySQL replication concept It means transferring...

Teach you a trick to permanently solve the problem of MySQL inserting Chinese characters

Table of contents Preface first step: Step 2: Mod...

10 Things Excellent Web Developers Must Know to Improve Their Development Skills

"Development is more than just writing code&q...

A brief discussion of four commonly used storage engines in MySQL

Introduction to four commonly used MySQL engines ...

JS realizes the automatic playback effect of pictures

This article shares the specific code of JS to ac...

Solve the problem that Alibaba Cloud SSH remote connection will be disconnected after a short time

Problem Reproduction Alibaba Cloud Server, using ...

How to use VirtualBox to simulate a Linux cluster

1. Set up HOST on the host Macbook The previous d...

Pure CSS3 realizes the effect of div entering and exiting in order

This article mainly introduces the effect of div ...

Vue-cli framework implements timer application

Technical Background This application uses the vu...