啟動容器時，有可能會遇到如下問題，比如啟動redis容器：

sudo docker run -d -p 6379:6379 --name redis redis:latest

?

通過分析異常信息，發現是因為在進行原地址到目標地址轉換的時候沒有在docker主機的iptables規則中找到nat表規則，只有filter表規則。

?

在filter表上面增加nat表配置規則信息，需要說明的是docker容器的網段是172.17.0.0/16，另外需要注意filter表中也要有docker鏈的相關配置。

sudo?vi /etc/sysconfig/iptables

1. Shell代碼

   1. #?sample?configuration?for?iptables?service??
   2. #?you?can?edit?this?manually?or?use?system-config-firewall??
   3. #?please?do?not?ask?us?to?add?additional?ports/services?to?this?default?configuration??
   4. *nat??
   5. :PREROUTING?ACCEPT?[27:11935]??
   6. :INPUT?ACCEPT?[0:0]??
   7. :OUTPUT?ACCEPT?[0:0]??
   8. :POSTROUTING?ACCEPT?[0:0]??
   9. :DOCKER?-[0:0]??
   10. -A?PREROUTING?-m?addrtype?--dst-type?LOCAL?-j?DOCKER??
   11. -A?OUTPUT?!-d?127.0.0.0/8-m?addrtype?--dst-type?LOCAL?-j?DOCKER??
   12. -A?POSTROUTING?-s?172.17.0.0/16!-o?docker0?-j?MASQUERADE??
   13. COMMIT??
   14. #??
   15. *filter??
   16. :INPUT?ACCEPT?[0:0]??
   17. :FORWARD?ACCEPT?[0:0]??
   18. :OUTPUT?ACCEPT?[0:0]??
   19. :DOCKER?-[0:0]??
   20. -A?FORWARD?-o?docker0?-j?DOCKER??
   21. -A?FORWARD?-o?docker0?-m?conntrack?--ctstate?RELATED,ESTABLISHED?-j?ACCEPT??
   22. -A?FORWARD?-i?docker0?!-o?docker0?-j?ACCEPT??
   23. -A?FORWARD?-i?docker0?-o?docker0?-j?ACCEPT??
   24. -A?INPUT?-m?state?--state?RELATED,ESTABLISHED?-j?ACCEPT??
   25. -A?INPUT?-p?icmp?-j?ACCEPT??
   26. -A?INPUT?-i?lo?-j?ACCEPT??
   27. -A?INPUT?-p?tcp?-m?state?--state?NEW?-m?tcp?--dport?22-j?ACCEPT??
   28. -A?INPUT?-p?tcp?-m?state?--state?NEW?-m?tcp?--dport?9090-j?ACCEPT??
   29. -A?INPUT?-p?tcp?-m?state?--state?NEW?-m?tcp?--dport?1521-j?ACCEPT??
   30. -A?INPUT?-p?tcp?-m?state?--state?NEW?-m?tcp?--dport?6379-j?ACCEPT??
   31. -A?INPUT?-j?REJECT?--reject-with?icmp-host-prohibited??
   32. -A?FORWARD?-j?REJECT?--reject-with?icmp-host-prohibited??
   33. COMMIT??
   ?

重啟iptables

sudo systemctl restart iptables.service?

?

重新啟動容器即可。