来源:蜘蛛抓取(WebSpider)
时间:2012-02-14 00:13
标签:
targetname
容器映射到宿主机的端口无法telnet 连通容器第一次启动错误提示:Error response from daemon: Cannot start container server: iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 192.168.42.34 --dport 19094 -j ACCEPT: iptables: No chain/target/match by that nam...容器第一次启动错误提示:Error response from daemon: Cannot start container server: iptables failed: iptables --wait -t filter -A DOCKER ! -i docker0 -o docker0 -p tcp -d 192.168.42.34 --dport 19094 -j ACCEPT: iptables: No chain/target/match by that name.第二次启动后容器正常,但是容器映射到宿主机的端口无法telnet 通,提示:telnet: Unable to connect to remote host: No route to host创建的其他容器就没问题,比较了一下容器里的route,和正常能telnet通的路由是一致的,不知道这里是啥原因关注问题23回答系统运维工程师
, 游戏公司应该是docker修改宿主机iptables的时候有问题,解决方法是先重启宿主机iptables,然后在重启docker服务。应该是docker修改宿主机iptables的时候有问题,解决方法是先重启宿主机iptables,然后在重启docker服务。 赞同系统运维工程师
, tkjr谢谢楼上邓磊的解答查了半天也没看到ubuntu的iptables重启命令,貌似没法重启,不过直接重启了docker服务,发现恢复了看来docker服务运行久了就会出现这个问题,之前单独重启容器时,出现过几次iptables failed的现象,但是多重启几次就ok了,端口也没问题,也就没关注,这是容器起来了,端...谢谢楼上邓磊的解答查了半天也没看到ubuntu的iptables重启命令,貌似没法重启,不过直接重启了docker服务,发现恢复了看来docker服务运行久了就会出现这个问题,之前单独重启容器时,出现过几次iptables failed的现象,但是多重启几次就ok了,端口也没问题,也就没关注,这是容器起来了,端口不通直接影响到服务才知道原来这个问题不是偶然的,具体多长时间就会出这个问题,后期继续关注一下,也不知道有木有大神能彻底修复这个问题赞同系统运维工程师
, 游戏公司不让docker直接修改宿主机iptables,自己手动改,可以参考http://www.aixchina.net/club/thread--2.html不让docker直接修改宿主机iptables,自己手动改,可以参考 赞同撰写回答系统运维工程师, tkjr关注发布8回答4请稍候...iptables not installed on centos - Server Fault
to customize your list.
Server Fault is a question and answer site for system and network administrators. J it only takes a minute:
Here's how it works:
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
If a machine does not have iptables installed, is there still a firewall running?
If yes, how to I disable / change rules?
if I enter the command iptables I receive the response:
iptables v1.4.7: no command specified
[root@ruad1 ~]# iptables -L
FATAL: Module ip_tables not found.
iptables v1.4.7: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
I have been searching but all documentation on firewalls for centos seems to refer to iptables.
If I do ip route list, there seems to be a lot of rules?
Edit: Answer to questions in comments:
output of ls -alL /sbin/iptables
-rwxr-xr-x 1 root root 54200 Nov 23 2013 /sbin/iptables
I receive the following when I do iptables restart
kernel version:
2.6.32-5-vserver-amd64
contents of /lib/modules/2.6.32-5-vserver-amd64
Any command that I issue with iptables (restart, stop ..) all receive the same error as pasted above.
/sbin/iptables output:
iptables v1.4.7: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
output of touch /tmp/ ls -la /tmp/foo
-rw-r--r-- 1 root root 0 Jun 27 16:51 /tmp/foo
It looks like the machine is running in a virtualized environment, or more specific: in an
environment, like LXC, OpenVZ or Virtuozzo. The kernel version (2.6.32-5-vserver-amd64) gives this away.
In such an environment the kernel is shared between the host and the guest systems, and not all kernel APIs are available in VMs. I guess that's the reason why you have a permission error when calling iptables.
When you find out in which environment your machine is running, you might be able to find a solution online:
The knowledge base for Parallels' Virtuozzo has an article on .
The OpenVZ wiki has an article on .
But you might have to contact the administrator of the host system to make the necessary changes.
Firstly try this command :
iptables -t nat -L
And also check for loaded module list for iptables,might be module is missing.
cat /proc/net/ip_tables_matches
Check the rules in /etc/sysconfig/iptables for any suspicious entry or space character.
Secondly try this:
$ sudo grep -R "options nf_conntrack ip_conntrack_disable_ve0=1" /etc/modprobe.d/
and replace the "1" with "0":
options nf_conntrack ip_conntrack_disable_ve0=0
reboot your system
Usually, the iptables feature should be included in the basic CentOS 6 installation (w/ minimum network), whereas its active or not depending on modules (ip_tables & iptable_filter) loaded or not.
To enable/disable the iptables, you can use the service command to achieve that. (service iptables start/stop/restart, as listed by TBI infotech.)
With the given logs - "Error: Module ip_tables not found", I looks like your ip_tables module doesn't exist or being relocated to somewhere.
Also, it's possibly your kernel version doesn't match w/ the modules library in your system.
Then, you can check the following to confirm
modinfo ip_tables (if failed, it means you can't locate the target module file in your operating kernel.)
look up your running kernel version (uname -r), and your kernel module path should be in the folder "/lib/modules/uname -r/".
Normally, the file "ip_tables.ko" should be in the path "/lib/modules/uname -r/kernel/net/ipv4/netfilter/". Otherwise, your iptables service will not been function.
Maybe it's just a problem of the PATH. Try to put /sbin instead of /bin in your PATH definition.
Edit: ah, ok, now you say it's a debian. Whatever.
Your Answer
Sign up or
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Post as a guest
By posting your answer, you agree to the
Not the answer you're looking for?
Browse other questions tagged
Server Fault works best with JavaScript enabled12638人阅读
android(22)
先在此谢谢一朋友,他的博客:/blog/search?query=iptables
关于iptables的常用命令,请参考我朋友的博客。
android上使用iptables一般做代理和app防火墙功能。
有几个开源项目,推荐大家去googlecode上去找找:
droidwall:app网络防火墙;
proxydroid:代理app,支持多种网络协议;
gaeproxy:代理app,自己有python的服务端,貌似可以翻墙哦亲。
以上软件都需要root权限。
app网络防火墙实现思路:
通过iptables命令设置filter表,针对OUTPUT链,来源是wifi或是2g/3g的做REJECT或是DROP操作。
REJECT 拦阻该封包,并传送封包通知对方。
DROP 丢弃封包不予处理,进行完此处理动作后,将不再比对其它规则,直接中断过滤程序。
REJECT和DROP其效果都可以使app无法联网,所以两个任你选择使用。
如何区分是wifi或是2G/3G?
我们需要使用-o参数来区分是封包来源是wifi还是gprs,
参数 -o, --out-interface
范例 iptables -A FORWARD -o eth0
说明 用来比对封包要从哪片网卡送出,设定方式同上。
其中wifi有三种(参考droidwall Api.java):tiwlan+,&wlan+,ð+
gprs有六种:rmnet+,pdp+,ppp+,uwbr+,wimax+,vsnet+&&
下面还剩下一个问题,如何区分封包来自哪个app?
由于iptables处于7层协议下三层,应该是无法区分应用的。
这里要使用扩展模式-m 操作owner表
范例:iptables -A OUTPUT -m owner --uid-owner 500
说明:用来比对来自本机的封包,是否为某特定使用者所产生的,这样可以避免服务器使用 root 或其它身分将敏感数据传送出去,可以降低系统被骇的损失。可惜这个功能无法比对出来自其它主机的封包。
下面给出一个完整的实例:
iptables&-t&filter&-A&OUTPUT&-o wlan+&&-m&owner&--uid-owner&10042 -j&DROP
说明:操作filter(-t filter可以省略,默认操作filter表)的OUTPUT链,封包来源是wlan+,并且来源是uid为10042的,丢弃数据包。
执行过程如果出现:No chain/target/match by that name, 可能就是你的rom不支持该操作了。
iptables需1.4+版本&
内核支持iptables操作,所以并不是所有root的rom都支持的。
今天先说app防火墙,改天再讲代理(提前说明,代理操作nat表)。
代码可参考droidwall,下载地址:http://download.csdn.net/detail/luck_apple/4549925
为什么chrome不能上传代码? safari就可以??
参考知识库
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
访问:183060次
积分:2032
积分:2032
排名:第13307名
原创:29篇
评论:136条
(1)(1)(1)(1)(1)(3)(5)(1)(1)(1)(2)(2)(1)(1)(3)(2)(4)Centos 7 docker 启动容器 iptables 报 No chain/target/match by that name - 文章 - 伯乐在线
& Centos 7 docker 启动容器 iptables 报 No chain/target/match by that name
启动一个有 nat 映射端口的容器时,iptables 报 No chain/target/match by that name
docker run -d -p
garland/zookeeper
Error response from daemon: Cannot start container 565c06efde6cdef3ddd777bc5fdd86076b9e: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 3888 -j DNAT --to-destination 192.168.42.11:3888 ! -i docker0: iptables: No chain/target/match by that name
docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper&&Error response from daemon: Cannot start container 565c06efde6cdef3ddd777bc5fdd86076b9e: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 3888 -j DNAT --to-destination 192.168.42.11:3888 ! -i docker0: iptables: No chain/target/match by that name
找了N多网站和官方issue后,还是没找到真正的解决方法,网上到处转载的只是分析了原因,并没有明确的解决方案,为此与同事通宵加班终于解决了这个问题。
找到系统的/etc/sysconfig/iptables ,如果没有用以下命令保存一下,然后查看里边的内容
iptables-save & /etc/sysconfig/iptables
cat /etc/sysconfig/iptables
iptables-save & /etc/sysconfig/iptables&&cat /etc/sysconfig/iptables
发现内容如下
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-N whitelist
-A whitelist -s 192.168.42.0/24 -j ACCEPT
-N syn-flood
-A INPUT -p tcp --syn -j syn-flood
-I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
-A syn-flood -j REJECT
-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
## 省略一些简单的防火墙规则
12345678910111213141516
*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]&-N whitelist-A whitelist -s 192.168.42.0/24 -j ACCEPT#syn-N syn-flood-A INPUT -p tcp --syn -j syn-flood-I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN-A syn-flood -j REJECT#DOS-A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT## 省略一些简单的防火墙规则
查看启动容器的报错信息发现-A DOCKER DOCKER链,但在iptables文件里并没有找到,
由于之前在自己的系统(archlinux)学习使用docker时并没遇到这问题,
所以马上去看了下自己系统里的iptables的文件,
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 1521 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49161 -j DNAT --to-destination 172.17.0.3:1521
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49160 -j DNAT --to-destination 172.17.0.3:22
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
:INPUT ACCEPT [018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1521 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
# Completed on Sun Sep 20 17:35:31 2015
1234567891011121314151617181920212223242526272829
*nat:PREROUTING ACCEPT [27:11935]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [598:57368]:POSTROUTING ACCEPT [591:57092]:DOCKER - [0:0]-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 1521 -j MASQUERADE-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49161 -j DNAT --to-destination 172.17.0.3:1521-A DOCKER ! -i docker0 -p tcp -m tcp --dport 49160 -j DNAT --to-destination 172.17.0.3:22COMMIT&&# Completed on Sun Sep 20 17:35:31 2015# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015*filter:INPUT ACCEPT [139291:]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [127386:5251162]:DOCKER - [0:0]-A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPT-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 1521 -j ACCEPT-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPTCOMMIT&&# Completed on Sun Sep 20 17:35:31 2015
对比后以去掉不相关的规则,以现*nat规则里有以下的对于docker的配置
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
*nat:PREROUTING ACCEPT [27:11935]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [598:57368]:POSTROUTING ACCEPT [591:57092]:DOCKER - [0:0]-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADECOMMIT
*filter 规则里对docker的配置如下
:INPUT ACCEPT [018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
12345678910
*filter:INPUT ACCEPT [139291:]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [127386:5251162]:DOCKER - [0:0]-A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPTCOMMIT
去掉不相关规则后的配置文件如下(可以直接用):
:PREROUTING ACCEPT [27:11935]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [598:57368]
:POSTROUTING ACCEPT [591:57092]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
# Completed on Sun Sep 20 17:35:31 2015
# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015
:INPUT ACCEPT [018923]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1162]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
# Completed on Sun Sep 20 17:35:31 2015
1234567891011121314151617181920212223
*nat:PREROUTING ACCEPT [27:11935]:INPUT ACCEPT [0:0]:OUTPUT ACCEPT [598:57368]:POSTROUTING ACCEPT [591:57092]:DOCKER - [0:0]-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADECOMMIT&&# Completed on Sun Sep 20 17:35:31 2015# Generated by iptables-save v1.4.21 on Sun Sep 20 17:35:31 2015*filter:INPUT ACCEPT [139291:]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [127386:5251162]:DOCKER - [0:0]-A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPTCOMMIT&&# Completed on Sun Sep 20 17:35:31 2015
然后再加上自己服务器的过滤规则,合并后覆盖到Centos 7的 /etc/sysconfig/iptables 文件
重启iptables 服务
systemctl restart iptables.service
systemctl restart iptables.service
两次启动对应docker容器,
docker run -d -p
garland/zookeeper
docker run -d -p 2181:2181 -p 2888:2888 -p 3888:3888 garland/zookeeper
发现容器启动成功,虽然有警告,但并不影响容器的使用
关于作者:
可能感兴趣的话题
关于伯乐在线博客
在这个信息爆炸的时代,人们已然被大量、快速并且简短的信息所包围。然而,我们相信:过多“快餐”式的阅读只会令人“虚胖”,缺乏实质的内涵。伯乐在线内容团队正试图以我们微薄的力量,把优秀的原创文章和译文分享给读者,为“快餐”添加一些“营养”元素。
新浪微博:
推荐微信号
(加好友请注明来意)
– 好的话题、有启发的回复、值得信赖的圈子
– 分享和发现有价值的内容与观点
– 为IT单身男女服务的征婚传播平台
– 优秀的工具资源导航
– 翻译传播优秀的外文文章
– 国内外的精选文章
– UI,网页,交互和用户体验
– 专注iOS技术分享
– 专注Android技术分享
– JavaScript, HTML5, CSS
– 专注Java技术分享
– 专注Python技术分享
& 2016 伯乐在线
