înregistrare Logare
Puncte:0
Brian avatar Server

iptables doesn't seem to be stopped

drapel aw
Brian

I have a CentOS 7 computer, which originally uses iptables as its firewall configuration tool.

The computer has a docker container that listens to port 10079.

I want to use firewalld to replace iptables.

Both firewalld and iptables run outside of the docker container. I don't run them inside the container.

So I run the following commands

$ systemctl stop iptables
# disable iptables so that it doesn't start at next system reboot.
$ systemctl disable iptables

$ systemctl start firewalld
$ systemctl enable firewalld


$ firewall-cmd --list-services
dhcpv6-client ssh

As you can see from the output firewall-cmd --list-services command, I only have ssh, and dhcpv6-client services enabled.

However, one thing that I feel strange is that I can still access the server through port 10079.

I thought that the rules of the chains of the iptables would become invalid after running systemctl stop iptables command.

But I was wrong. Because I can still access a service on the computer through port 10079.

Why can I still access port 10079 after running systemctl stop iptables command?

Here're the status of iptables and firewalld

$ systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2021-06-18 16:56:38 CST; 47min ago
  Process: 18324 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 18220 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 18220 (code=exited, status=0/SUCCESS)

Jun 18 16:56:22 foo.my-company.com systemd[1]: Starting IPv4 firewall with iptables...
Jun 18 16:56:22 foo.my-company.com iptables.init[18220]: iptables: Applying firewall rules: [  OK  ]
Jun 18 16:56:22 foo.my-company.com systemd[1]: Started IPv4 firewall with iptables.
Jun 18 16:56:38 foo.my-company.com systemd[1]: Stopping IPv4 firewall with iptables...
Jun 18 16:56:38 foo.my-company.com iptables.init[18324]: iptables: Setting chains to policy ACCEPT: nat mangle security raw fil...OK  ]
Jun 18 16:56:38 foo.my-company.com iptables.init[18324]: iptables: Flushing firewall rules: [  OK  ]
Jun 18 16:56:38 foo.my-company.com systemd[1]: Stopped IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.

$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-06-18 16:56:38 CST; 48min ago
     Docs: man:firewalld(1)
 Main PID: 18325 (firewalld)
    Tasks: 2
   Memory: 26.0M
   CGroup: /system.slice/firewalld.service
           └─18325 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Jun 18 16:56:38 foo.my-company.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 18 16:56:38 foo.my-company.com systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure con...t now.
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-e06022...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-ee12e0...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-37072d...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-95db75...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-d77a44...ain?).
Jun 18 16:56:40 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -...ain?).
Hint: Some lines were ellipsized, use -l to show in full.

It looks like that firewalld is started correctly, and iptables has been disabled.

Here's the content of the /var/log/firewalld when restarting my computer now:

2021-06-18 22:13:19 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-ee12e0b3bd4b -o br-ee12e0b3bd4b -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-37072db2b0a2 -o br-37072db2b0a2 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-95db758dd575 -o br-95db758dd575 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-d77a4470f1ee -o br-d77a4470f1ee -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-e06022f15557 -o br-e06022f15557 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

The log content contains a lot of warnings about docker. Maybe this problem has something to do with docker.

Here's my current iptables setting.

$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (6 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            192.168.208.2        tcp dpt:8005
ACCEPT     tcp  --  0.0.0.0/0            172.29.0.3           tcp dpt:8080
ACCEPT     tcp  --  0.0.0.0/0            172.20.0.3           tcp dpt:5432
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.3           tcp dpt:5432
ACCEPT     tcp  --  0.0.0.0/0            172.20.0.4           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.4           tcp dpt:9000
ACCEPT     tcp  --  0.0.0.0/0            172.20.0.4           tcp dpt:22

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (6 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (2 references)
target     prot opt source               destination         
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (2 references)
target     prot opt source               destination         
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination
509
1 + 14
drapel jp
Dom
Dacă dezactivați iptables, puteți accesa portul 10079 dacă firewalld nu este pornit corect. Verificați jurnalele: puteți vedea dacă există o eroare.
0
Răspunde
Brian avatar
drapel aw
Brian
Multumesc pentru informatii. Vrei să spui să rulezi `journalctl -u firewalld.service` pentru a vedea jurnalele?
0
Răspunde
drapel jp
Dom
Nu folosesc niciodată journalctl, dar le-ați găsit. Trebuie să corectați avertismentele firewalld pentru a activa noul firewall. Firewalld nu pornește corect: există 8 COMMAND_FAILED!
0
Răspunde
Brian avatar
drapel aw
Brian
Dar conform acestei [postări](https://support.plesk.com/hc/en-us/articles/360007029113-Docker-startup-on-firewalld-Warning-COMMAND-FAILED-No-chain-target-match- by-that-name), mesajul de eroare `WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' a eșuat: iptables: Regulă proastă (există o regulă de potrivire în acel lanț?).` poate fi ignorată.
0
Răspunde
Brian avatar
drapel aw
Brian
Mesajul complet de avertizare poate fi găsit în `/var/log/firewalld`. Mesajul meu de eroare este același cu cel menționat în acea [postare](https://support.plesk.com/hc/en-us/articles/360007029113-Docker-startup-on-firewalld-Warning-COMMAND-FAILED- Fără-la-țintă-potrivire-după-acel-nume).
0
Răspunde
Michael Hampton avatar
drapel cz
Michael Hampton
Reporniți computerul.
0
Răspunde
Brian avatar
drapel aw
Brian
@MichaelHampton, încă pot accesa portul 10079 după repornirea computerului.
0
Răspunde
Michael Hampton avatar
drapel cz
Michael Hampton
Firewalld dă în continuare aceleași avertismente sau altele diferite?
0
Răspunde
Brian avatar
drapel aw
Brian
Serverul este construit într-un container docker. Nu sunt sigur dacă această problemă are vreo legătură cu docker.
0
Răspunde
Brian avatar
drapel aw
Brian
`firewalld` dă în continuare aceleași avertismente după repornire.
0
Răspunde
Michael Hampton avatar
drapel cz
Michael Hampton
Ce inseamna asta? „Serverul este construit într-un container docker.”
0
Răspunde
Brian avatar
drapel aw
Brian
@MichaelHampton, vreau să spun că serverul este creat folosind un fișier `docker-compose.yml`.Este ceva de genul [acesta](https://github.com/kassambara/wordpress-docker-compose).
0
Răspunde
Michael Hampton avatar
drapel cz
Michael Hampton
Dar de ce încerci să rulezi firewalld în interiorul containerului? Desigur, asta nu va funcționa.
0
Răspunde
Brian avatar
drapel aw
Brian
`firewalld` este în afara containerului docker.
0
Răspunde
Puncte:0
avatar Server
drapel co
BMitch

Firewalld adaugă un strat de abstractizare peste iptables din kernel. In timp ce systemctl opri iptables Este posibil ca comanda să fi oprit un utilitar de spațiu utilizator pentru gestionarea lanțurilor, configurația nucleului pare să fie nemodificată de aceasta (dacă ar fi să ghicesc, oprirea serviciului salvează probabil lanțurile pentru a vă oferi persistență în setările între reporniri).

Docker însuși gestionează mult setările iptables ale nucleului pentru a configura conexiunea între containere și către gazdă. Pe lângă crearea de rețele bridge și dispozitive ethernet virtuale, există și reguli NAT create pentru a permite containerelor să se conecteze la rețea ca gazdă.Iar pentru redirecționarea portului (de la gazdă la container), există o combinație de spațiu utilizator docker-proxy proces care ascultă și diverse reguli de transmitere. Toate acestea sunt configurate automat atunci când publicați un port și ocolește orice reguli de filtrare pe care le configurați într-un instrument precum firewalld. Puteți vedea asta în REDIRECŢIONA masa unde diversele DOCHER intrările de tabel sunt create înaintea diferitelor *_ZONES intrări.

Dacă doriți să configurați politici de firewall pe porturile publicate, procesul este să utilizați DOCKER-UTILIZATOR tabel și combinați cu conntrack pentru a gestiona deformarea pe care o face NAT. Rezultatul arată astfel:

# Eliminați cererile externe în mod implicit.
# Această regulă este prima deoarece acestea sunt fiecare inserție în partea de sus a lanțului
# deci prima inserare devine ultima rulare de regulă din lanț.
# Implicit, tabelul DOCKER-USER conține o singură intrare RETURN pentru
# totul, așa că alte reguli trebuie introduse înainte de aceasta.
iptables -I DOCKER-USER -j DROP
# permite cererile existente
iptables -I DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
# permite solicitări între containere
iptables -I DOCKER-USER -i br+ -j RETURN 
# permiteți cererea de la docker la extern
iptables -I DOCKER-USER -i docker+ -j RETURN
# permite orice să găzduiască portul 5000
iptables -I DOCKER-USER -p tcp -m conntrack --ctorigdstport 5000 -j RETURN
0 + 0
drapel romania
SEF 777
întrebarea această in alte limbi:

Postează un răspuns

Majoritatea oamenilor nu înțeleg că a pune multe întrebări deblochează învățarea și îmbunătățește legătura interpersonală. În studiile lui Alison, de exemplu, deși oamenii își puteau aminti cu exactitate câte întrebări au fost puse în conversațiile lor, ei nu au intuit legătura dintre întrebări și apreciere. În patru studii, în care participanții au fost implicați în conversații ei înșiși sau au citit transcrieri ale conversațiilor altora, oamenii au avut tendința să nu realizeze că întrebarea ar influența – sau ar fi influențat – nivelul de prietenie dintre conversatori.