Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 500,4500,1701 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-ISOLATION all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 192.168.18.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 10.31.0.0/24 0.0.0.0/0 ACCEPT all -- 10.31.1.0/24 0.0.0.0/0 ACCEPT all -- 10.31.2.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 172.17.0.2 udp dpt:4500 ACCEPT udp -- 0.0.0.0/0 172.17.0.2 udp dpt:500 ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 172.17.0.5 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 172.17.0.7 tcp dpt:9001 ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:993 ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 172.18.0.2 tcp dpt:25 Chain DOCKER-ISOLATION (1 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Those 25, 143, and 587 below should be automatically added by docker. Do I still need to open the corresponding port of the host to access it?
It depends on your docker network mode,
If it is bridge mode, the port mapping rule is ip:port:targetPort,
For example, 0.0.0.0:80:8080, this situation means that the 80 port of the host machine has a mapping relationship with the 8080 port of the container, and there is no restriction on the IP. At this time, any request for port 80 of the host machine All will be forwarded to port 8080 in the container, no additional iptables settings are required. (This is possible even if the firewall does not open port 80 in advance. Because port mapping will modify the iptables rules by itself).
If the IP address is explicitly specified, the iptables rule will limit that only port 80 of the IP can be accessed to port 8080 in the container. Docker port mapping is actually network interoperability achieved by modifying iptables rules.
If it is net mode, it is the same as setting up a port listening on the host. There will be no additional changes to iptables rules. At this time, you need to manually set iptables to allow external access;