I’m using flannel network on 2 CentOS7 hosts, now I find a question.
When I disable firewalld.service, the container fbox1(172.30.29.2) on docker1 host can ping container fbox2(172.30.53.2) on docker2 host. It seems OK, but when I start firewalld.service, I found the fbox1 cannot ping fbox2.
plz help me modify the iptables policy, thx~~~~~
[root@docker1 ~]# ip r
default via 192.168.205.2 dev eno16777736 proto static metric 102
169.254.0.0/16 dev ens37 proto kernel scope link src 169.254.134.39 metric 101
172.18.0.0/16 dev docker_gwbridge proto kernel scope link src 172.18.0.1
172.30.0.0/16 dev flannel.1
172.30.29.0/24 dev docker0 proto kernel scope link src 172.30.29.1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
192.168.205.0/24 dev eno16777736 proto kernel scope link src 192.168.205.135 metric 102
224.0.0.0/4 dev ens37 proto static scope link metric 101
[root@docker2 ~]# ip r
default via 192.168.0.1 dev ens37 proto dhcp metric 103
default via 192.168.205.2 dev eno16777736 proto static metric 104
172.18.0.0/16 dev docker_gwbridge proto kernel scope link src 172.18.0.1
172.30.0.0/16 dev flannel.1
172.30.53.0/24 dev docker0 proto kernel scope link src 172.30.53.1
192.168.0.0/24 dev ens37 proto kernel scope link src 192.168.0.103 metric 103
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
192.168.205.0/24 dev eno16777736 proto kernel scope link src 192.168.205.136 metric 104
when I stop firewalld.service, the container fbox1 can ping fbox2:
[root@docker1 ~]# docker exec fbox1 ping 172.30.53.2
PING 172.30.53.2 (172.30.53.2): 56 data bytes
64 bytes from 172.30.53.2: seq=0 ttl=62 time=0.586 ms
64 bytes from 172.30.53.2: seq=1 ttl=62 time=0.935 ms
but when I start firewalld.service, it cann’t ping fbox2:
[root@docker1 ~]# docker exec fbox1 ping -c 2 172.30.53.2
PING 172.30.53.2 (172.30.53.2): 56 data bytes
2 packets transmitted, 0 packets received, 100% packet loss
my iptables policy:
[root@docker1 ~]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – anywhere anywhere udp dpt:domain
ACCEPT tcp – anywhere anywhere tcp dpt:domain
ACCEPT udp – anywhere anywhere udp dpt:bootps
ACCEPT tcp – anywhere anywhere tcp dpt:bootps
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
INPUT_direct all – anywhere anywhere
INPUT_ZONES_SOURCE all – anywhere anywhere
INPUT_ZONES all – anywhere anywhere
DROP all – anywhere anywhere ctstate INVALID
REJECT all – anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all – 192.168.122.0/24 anywhere
ACCEPT all – anywhere anywhere
REJECT all – anywhere anywhere reject-with icmp-port-unreachable
REJECT all – anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
FORWARD_direct all – anywhere anywhere
FORWARD_IN_ZONES_SOURCE all – anywhere anywhere
FORWARD_IN_ZONES all – anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all – anywhere anywhere
FORWARD_OUT_ZONES all – anywhere anywhere
DROP all – anywhere anywhere ctstate INVALID
REJECT all – anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp – anywhere anywhere udp dpt:bootpc
OUTPUT_direct all – anywhere anywhereChain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all – anywhere anywhere [goto]
FWDI_public all – anywhere anywhere [goto]
FWDI_public all – anywhere anywhere [goto]Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destinationChain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all – anywhere anywhere [goto]
FWDO_public all – anywhere anywhere [goto]
FWDO_public all – anywhere anywhere [goto]Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destinationChain FORWARD_direct (1 references)
target prot opt source destinationChain FWDI_public (3 references)
target prot opt source destination
FWDI_public_log all – anywhere anywhere
FWDI_public_deny all – anywhere anywhere
FWDI_public_allow all – anywhere anywhere
ACCEPT icmp – anywhere anywhereChain FWDI_public_allow (1 references)
target prot opt source destinationChain FWDI_public_deny (1 references)
target prot opt source destinationChain FWDI_public_log (1 references)
target prot opt source destinationChain FWDO_public (3 references)
target prot opt source destination
FWDO_public_log all – anywhere anywhere
FWDO_public_deny all – anywhere anywhere
FWDO_public_allow all – anywhere anywhereChain FWDO_public_allow (1 references)
target prot opt source destinationChain FWDO_public_deny (1 references)
target prot opt source destinationChain FWDO_public_log (1 references)
target prot opt source destinationChain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all – anywhere anywhere [goto]
IN_public all – anywhere anywhere [goto]
IN_public all – anywhere anywhere [goto]Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destinationChain INPUT_direct (1 references)
target prot opt source destinationChain IN_public (3 references)
target prot opt source destination
IN_public_log all – anywhere anywhere
IN_public_deny all – anywhere anywhere
IN_public_allow all – anywhere anywhere
ACCEPT icmp – anywhere anywhereChain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere tcp dpt:ssh ctstate NEWChain IN_public_deny (1 references)
target prot opt source destinationChain IN_public_log (1 references)
target prot opt source destinationChain OUTPUT_direct (1 references)
target prot opt source destination
[root@docker1 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all – anywhere anywhere
PREROUTING_ZONES_SOURCE all – anywhere anywhere
PREROUTING_ZONES all – anywhere anywhereChain INPUT (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all – anywhere anywhereChain POSTROUTING (policy ACCEPT)
target prot opt source destination
RETURN all – 192.168.122.0/24 base-address.mcast.net/24
RETURN all – 192.168.122.0/24 255.255.255.255
MASQUERADE tcp – 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp – 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all – 192.168.122.0/24 !192.168.122.0/24
POSTROUTING_direct all – anywhere anywhere
POSTROUTING_ZONES_SOURCE all – anywhere anywhere
POSTROUTING_ZONES all – anywhere anywhereChain OUTPUT_direct (1 references)
target prot opt source destinationChain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all – anywhere anywhere [goto]
POST_public all – anywhere anywhere [goto]
POST_public all – anywhere anywhere [goto]Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destinationChain POSTROUTING_direct (1 references)
target prot opt source destinationChain POST_public (3 references)
target prot opt source destination
POST_public_log all – anywhere anywhere
POST_public_deny all – anywhere anywhere
POST_public_allow all – anywhere anywhereChain POST_public_allow (1 references)
target prot opt source destinationChain POST_public_deny (1 references)
target prot opt source destinationChain POST_public_log (1 references)
target prot opt source destinationChain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all – anywhere anywhere [goto]
PRE_public all – anywhere anywhere [goto]
PRE_public all – anywhere anywhere [goto]Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destinationChain PREROUTING_direct (1 references)
target prot opt source destinationChain PRE_public (3 references)
target prot opt source destination
PRE_public_log all – anywhere anywhere
PRE_public_deny all – anywhere anywhere
PRE_public_allow all – anywhere anywhereChain PRE_public_allow (1 references)
target prot opt source destinationChain PRE_public_deny (1 references)
target prot opt source destinationChain PRE_public_log (1 references)
target prot opt source destination