centos7 docker配置防火牆firewalld

docker防火牆使用的是底層iptables，封裝後的firewalld默認不生效

若是想要使用firewalld，須要作如下調整：

讓firewalld移除DOCKER-USER並新建一個

# Removing DOCKER-USER CHAIN (it won't exist at first)
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER

# Flush rules from DOCKER-USER chain (again, these won't exist at first; firewalld seems to remember these even if the chain is gone)
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER

# Add the DOCKER-USER chain to firewalld
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER

加上你想要的規則，注意reject放在最後

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -j ACCEPT -m comment --comment "allows incoming from docker"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -o eth0 -j ACCEPT -m comment --comment "allows docker to eth0"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "allows docker containers to connect to the outside world"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j RETURN -s 172.17.0.0/16 -m comment --comment "allow internal docker communication"

## 你能夠直接允許來自特定 IP 的全部流量
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -s 61.222.3.133/32 -j ACCEPT 
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j REJECT --reject-with icmp-host-unreachable -m comment --comment "reject all other traffic"

最後reload，並經過iptables -L確認是否正確生效

firewall-cmd --reload

參考連接：

https://holywhite.com/archives/489