我如下图设置防火墙,但是实际上并没有任何的改变,无论怎么样都能访问
sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3583 1775K DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
3583 1775K DOCKER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
4 240 ACCEPT 6 -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:80
0 0 DROP 0 -- !br-c27e2f70f6de br-c27e2f70f6de 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- !docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-BRIDGE (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER 0 -- * br-c27e2f70f6de 0.0.0.0/0 0.0.0.0/0
4 240 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-CT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * br-c27e2f70f6de 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1697 1392K ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain DOCKER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
3583 1775K DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0
1886 383K DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0
1886 383K DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br-c27e2f70f6de * 0.0.0.0/0 0.0.0.0/0
1882 383K ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-INTERNAL (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
nft list ruleset
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname != "docker0" tcp dport 1080 counter packets 4 bytes 240 dnat to 172.17.0.2:80
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 1279 bytes 78681 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 221 bytes 14300 masquerade
oifname != "br-c27e2f70f6de" ip saddr 172.18.0.0/16 counter packets 0 bytes 0 masquerade
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
iifname != "docker0" oifname "docker0" ip daddr 172.17.0.2 tcp dport 80 counter packets 4 bytes 240 accept
iifname != "br-c27e2f70f6de" oifname "br-c27e2f70f6de" counter packets 0 bytes 0 drop
iifname != "docker0" oifname "docker0" counter packets 0 bytes 0 drop
}
chain DOCKER-FORWARD {
counter packets 3583 bytes 1775066 jump DOCKER-CT
counter packets 1886 bytes 383187 jump DOCKER-INTERNAL
counter packets 1886 bytes 383187 jump DOCKER-BRIDGE
iifname "br-c27e2f70f6de" counter packets 0 bytes 0 accept
iifname "docker0" counter packets 1882 bytes 382947 accept
}
chain DOCKER-BRIDGE {
oifname "br-c27e2f70f6de" counter packets 0 bytes 0 jump DOCKER
oifname "docker0" counter packets 4 bytes 240 jump DOCKER
}
chain DOCKER-CT {
oifname "br-c27e2f70f6de" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" ct state related,established counter packets 1697 bytes 1391879 accept
}
chain DOCKER-INTERNAL {
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 3583 bytes 1775066 jump DOCKER-USER
counter packets 3583 bytes 1775066 jump DOCKER-FORWARD
}
chain DOCKER-USER {
}
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
chain DOCKER {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip6 filter {
chain DOCKER {
}
chain DOCKER-FORWARD {
counter packets 0 bytes 0 jump DOCKER-CT
counter packets 0 bytes 0 jump DOCKER-INTERNAL
counter packets 0 bytes 0 jump DOCKER-BRIDGE
}
chain DOCKER-BRIDGE {
}
chain DOCKER-CT {
}
chain DOCKER-INTERNAL {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-FORWARD
}
chain DOCKER-USER {
}
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
iifname != "docker0" ip daddr 172.17.0.2 counter packets 0 bytes 0 drop
}
}
2025-12-26 20:44:03
2025-12-31 17:09:22
2026-1-2 20:08:44 楼主