防火墙与iptables

root@ubuntu:~# iptables -t nat  -A POSTROUTING -s 10.10.104.83/32  -o enahisic2i0  -j MASQUERADE
root@ubuntu:~# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 19 packets, 878 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   12  1272 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      enahisic2i0  10.10.104.83         0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
root@ubuntu:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.16.254    0.0.0.0         UG    0      0        0 enahisic2i0
10.10.16.0      0.0.0.0         255.255.255.0   U     0      0        0 enahisic2i0
10.10.104.0     0.0.0.0         255.255.255.0   U     0      0        0 virbr1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
root@ubuntu:~# ufw status
Status: inactive

  

 这条规则没有生效，而且防火墙处于inactive状态

root@ubuntu:~# cat /proc/net/nf_conntrack
cat: /proc/net/nf_conntrack: No such file or directory
root@ubuntu:~# 

执行ufw disable可以了

root@ubuntu:~# ufw disable
Firewall stopped and disabled on system startup
root@ubuntu:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
root@ubuntu:~# cat /proc/net/nf_conntrack
cat: /proc/net/nf_conntrack: No such file or directory
root@ubuntu:~# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 378 packets, 21207 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   12  1272 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 8 packets, 976 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    1    60 MASQUERADE  all  --  *      enahisic2i0  10.10.104.83         0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
root@ubuntu:~#