Using Iptables to bind an extranet IP to Docker

background

Because Docker by default is not able to communicate directly with the outside, it is more common to use the boot-p to interface with the host port mapping and external communication. But sometimes it is not convenient to have other requirements, especially in the Docker packaging before the internal development, hope that it can be as virtual machine can be as good as the external communication, they want to be able to bind the external IP address.
Docker the default network is the bridge after the creation of the Network Bridge DOCKER0. Docker0 The default typical address is 172.17.42.1, and the subnet mask is 255.255.0.0. The startup container then assigns the container an address of the same network segment (172.17.0.0/16). Then a pair of Veth pair are created when the Docker container is started. One end is the eth0 inside the container, and the other end is mounted to the Docker0 bridge and named after the Veth. As shown below:

#brctl Show Bridge
name Bridge ID stpenabled Interfaces
docker0 8000.56847afe9799 no veth135f096
Veth5f8fe2d

1 2 3 4 1 2 3 4

In this way, the container can communicate with the host and the container, and the host and the container share the virtual network.
In doing development, and so on, may want the container to be like a virtual machine as remote logins and access, this time it is necessary to bind a container to another external IP address, it can be considered to use Iptables port forwarding to implement for the container's external IP binding. Environment

An Ubuntu server, the network segment is 10.50.10.0/26, the server's IP is 10.50.10.26, because the OvS is also used, so the IP is on the Br-ex;
An ubuntu container, IP for 172.17.0.1/26. Purpose

Bind the external IP to the 172.17.0.1 container for IP iptables here is 10.50.10.56. Process

The whole process is roughly divided into 3 parts: 1. To bind multiple IP addresses for a host

This step allows you to bind another IP to the bridge by using the following command:

#ifconfig br-ex:010.50.10.56/24

1 1

If you want to reboot the machine and still be able to take effect, you need to write it to/etc/network/interfaces. 2. Iptables set Dnat

by Dnat to rewrite the destination address of the package, the destination address of the packet pointing to 10.50.10.56 is changed to 172.17.0.1, so that you can

#iptables-T nat-a prerouting-d 10.50.10.56-p tcp-m tcp--dport 1:65535-j dnat--to-destination 172.17.0.1:1-65535

1 1 3. Iptables set Snat

Rewrite the source IP address of the package, that is, after the packet is received in the container, the source is changed to the DOCKER0 address.

#iptables-T nat-a postrouting-d 172.17.0.1-p tcp-m tcp--dport 1:65535-j SNAT--to-source172.17.42.1

1 1 Save Rule

If you want to save it, you need to pass the command:

#/etc/init.d/iptables Save

1 1

To save. Delete Rule

Of course, if you want to delete the rule, you can also pass the

# iptables–t Nat–d prerouting <number>
# iptables–t nat–d postrouting <number>

1 2 1 2

To delete the two rules that you created. Validate

First, the iptables is used to see if it takes effect.

# iptables-n-T nat-l
Chain prerouting (policyaccept)
target prot opt source destination
dnat TCP--0.0.0.0 /0 10.50.10.56 TCP dpts:1:65535to:172.17.0.1:1-65535
Chain INPUT (policyaccept)
target prot opt source Destination
Chain OUTPUT (policyaccept)
target prot opt source destination Docker all
-0.0.0.0/0! 127.0.0.0/8 addrtype Match Dst-type local
Chain postrouting (policyaccept)
target prot opt source destination< C10/>masquerade All – 10.50.10.0/26 0.0.0.0/0
Masquerade All-172.17.0.0/16 0.0.0.0/0 SNAT
TCP--0.0.0.0/0 1 72.17.0.1 TCP dpts:1:65535 to:172.17.42.1

1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 2 3 4 5 6 7 8 9 10 11 12 13-14

You can then authenticate by installing a service such as SSH or apache2 that requires the use of ports.

Of course there are many ways to achieve this function, you are welcome to shoot bricks ~ reference

1, "docker--from Getting Started to practice": Advanced network Configuration
Http://dockerpool.com/static/books/docker_practice/advanced_network/README.html
2,the netfilter/iptables HOWTO ' s
Http://www.netfilter.org/documentation/index.html
3,iptables Guide

Http://man.chinaunix.net/network/iptables-tutorial-cn-1.1.19.html

Turn from: http://blog.csdn.net/shipengfei92/article/details/47089055