Docker

restart docker service iptables be reset Docker Basic rule (New Docker maybe change somethings) *nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] -A PREROUTING -m addrtype –dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype –dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE COMMIT # Completed on Sun Sep 20 17:35:31 2015 # Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015 *filter :INPUT ACCEPT [139291:461018923] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [127386:5251162] :DOCKER - [0:0] -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT COMMIT # Completed on Sun Sep 20 17:35:31 2015 ...

http://blog.pulipuli.info/2011/07/ http://linux.vbird.org/linux_server/0250simple_firewall.php iptables \[-AI 鏈\] \[-io 網路介面\] \[-p tcp,udp\] \\ \> \[-s 來源IP/網域\] \[--sport 埠口範圍\] \\ \> \[-d 目標IP/網域\] \[--dport 埠口範圍\] -j \[ACCEPT|DROP|REJECT\] 選項與參數： \--sport 埠口範圍：限制來源的埠口號碼，埠口號碼可以是連續的，例如 1024:65535 \--dport 埠口範圍：限制目標的埠口號碼。 \[root@www ~\]# iptables -A INPUT \[-m state\] \[--state 狀態\] 選項與參數： \-m ：一些 iptables 的外掛模組，主要常見的有： state ：狀態模組 mac ：網路卡硬體位址 (hardware address) \--state ：一些封包的狀態，主要有： INVALID ：無效的封包，例如資料破損的封包狀態 ESTABLISHED：已經連線成功的連線狀態； NEW ：想要新建立連線的封包狀態； RELATED ：這個最常用！表示這個封包是與我們主機發送出去的封包有關 範例：只要已建立或相關封包就予以通過，只要是不合法封包就丟棄 \[root@www ~\]# iptables -A INPUT -m state \\ \> \--state RELATED,ESTABLISHED -j ACCEPT \[root@www ~\]# iptables -A INPUT -m state --state INVALID -j DROP https://www.booleanworld.com/depth-guide-iptables-linux-firewall/ https://www.lammertbies.nl/comm/info/iptables.html ...

https://meta.discourse.org/t/applying-docker-discourse-iptables-rules-when-using-csf-firewall/70531/5 csf v12.08 NOTE: This feature is currently in BETA testing, so may not work correctly This section provides the configuration of iptables rules to allow Docker containers to communicate through the host. If the generated rules do not work with your setup you will have to use a /etc/csf/csfpost.sh file and add your own iptables configuration instead 1 to enable, 0 to disable

https://gist.github.com/javahippie/efee5417c69aaad3baf297dd2cd71fc6 version: '3.3' services: go-ethereum: build: context: go-ethe/ ports: - "8545:8545" - "30303:30303" networks: - elk networks: elk: driver: bridge FROM ubuntu:xenial RUN apt-get update \ && apt-get install -y wget \ && rm -rf /var/lib/apt/lists/* WORKDIR "/opt" ARG BINARY="geth-linux-amd64-1.8.17-8bbe7207.tar.gz" RUN wget "https://gethstore.blob.core.windows.net/builds/$BINARY" RUN tar -xzvf $BINARY --strip 1 RUN rm $BINARY ADD ./genesis.json ./genesis.json RUN ./geth init genesis.json CMD nohup ./geth --dev --rpc --rpcaddr "0.0.0.0" --rpccorsdomain "*" --mine #geth --syncmode "light" --cache=2048 EXPOSE 8545 EXPOSE 30303

1、Get key Key Path c:\user\xxxooo\.docker\machine\machines\%%%%% xxxooo user %%%%% machine name id_rsa This is key 2、Need vm ip、id_rsa Get IP： 1. docker-machine ssh %%%%% 2. ifconfig If need PPK：winscp can auto change id_rsa to ppk 3、last step login VM account：docker =========== https://github.com/boot2docker/boot2docker Docker Machine auto logs in using the generated SSH key, but if you want to SSH into the machine manually (or you’re not using a Docker Machine managed VM), the credentials are: ...