[root@docker- test ~] # docker run -ti -d --name my-nginx9 docker.io/nginx
990752e39d75b977cbff5a944247366662211ce43d16843a452a5697ddded12f
[root@docker- test ~] # docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS            NAMES
990752e39d75        docker.io /nginx "nginx -g 'daemon ..." 2 seconds ago       Up 1 second         80 /tcp my-nginx9
这个时候,由于容器my-nginx9在启动时没有指定其内部的80端口映射到宿主机的端口上,所以默认是没法访问的!
现在通过宿主机的iptables进行net转发
首先获得容器的ip地址
[root@docker- test ~] # docker inspect my-nginx9|grep IPAddress"SecondaryIPAddresses" : null,"IPAddress" :  "172.17.0.9" ,"IPAddress" :  "172.17.0.9" ,
[root@docker- test ~] # ping 172.17.0.9
PING 172.17.0.9 (172.17.0.9) 56(84) bytes of data.
64 bytes from 172.17.0.9: icmp_seq=1 ttl=64  time =0.105 ms
64 bytes from 172.17.0.9: icmp_seq=2 ttl=64  time =0.061 ms
.....
[root@docker- test ~] # telnet 172.17.0.9 80
Trying 172.17.0.9...
Connected to 172.17.0.9.
Escape character is  '^]'
centos7下部署iptables环境纪录(关闭默认的firewalle)
参考:http: //www .cnblogs.com /kevingrace/p/5799210 .html
将容器的80端口映射到dockers宿主机的9998端口
[root@docker- test ~] # iptables -t nat -A PREROUTING -p tcp -m tcp --dport 9998 -j DNAT --to-destination 172.17.0.9:80
[root@docker- test ~] # iptables -t nat -A POSTROUTING -d 172.17.0.9/32 -p tcp -m tcp --sport 80 -j SNAT --to-source 192.16.10.214
[root@docker- test ~] # iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 9998 -j ACCEPT
保存以上iptables规则
[root@docker- test ~] # iptables-save > /etc/sysconfig/iptables
查看 /etc/sysconfig/iptables 文件,注意下面两行有关icmp-host-prohibited的设置一定要注释掉!否则nat转发会失败!
[root@docker- test ~] # cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Aug 10 11:13:57 2018
*nat
:PREROUTING ACCEPT [32:1280]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 9998 -j DNAT --to-destination 172.17.0.9:80
-A POSTROUTING -d 172.17.0.9 /32 -p tcp -m tcp --sport 80 -j SNAT --to- source 192.16.10.214
COMMIT
# Completed on Fri Aug 10 11:13:57 2018
# Generated by iptables-save v1.4.21 on Fri Aug 10 11:13:57 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:5056]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9998 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Aug 10 11:13:57 2018
最后重启iptbales服务
[root@docker- test ~] # systemctl restart iptables
查看iptables规则
[root@docker- test ~] # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt  source destination        
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt: ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:distinct32
Chain FORWARD (policy ACCEPT)
target     prot opt  source destination        
Chain OUTPUT (policy ACCEPT)
target     prot opt  source destination       
[root@docker- test ~] # iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt  source destination        
DNAT       tcp  --  anywhere             anywhere             tcp dpt:distinct32 to:172.17.0.9:80
Chain INPUT (policy ACCEPT)
target     prot opt  source destination        
Chain OUTPUT (policy ACCEPT)
target     prot opt  source destination        
Chain POSTROUTING (policy ACCEPT)
target     prot opt  source destination        
SNAT       tcp  --  anywhere             172.17.0.9           tcp spt:http to:192.16.10.214
然后访问http: //192 .168.10.214:9998/,就能转发访问到my-nginx9容器的80端口了!!! 
Original: https://www.cnblogs.com/x_wukong/p/10041071.html
Author: 明明是悟空
Title: Docker容器内部端口映射到外部宿主机端口的方法小结
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/534176/
转载文章受原作者版权保护。转载请注明原作者出处!