Docker NAT table output sequence rule

Question

Docker NAT table output sequence rule

I am trying to understand one of the rules in iptables:

$ sudo iptables -t nat  --list -v
...

Chain OUTPUT (policy ACCEPT 618 packets, 31267 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  any    any     anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

...

therefore, does this rule try to match the destination address type to "LOCAL" rather than in the range 127.0.0.0/8?

What address will it match? What is the purpose of this rule?

thank!

+4

docker iptables nat

otm Nov 16 '14 at 23:31

source share

1 answer

Yoel · Accepted Answer · 2014-11-17T10:42:47+0000

This rule will match all packets occurring on the local machine (as in the chain OUTPUT) destined for a locally hosted IP address that does not start with 127.X.X.X. Such packets are sent to the chain DOCKERfor further processing.

IP-, 127.X.X.X, IP-, . IP-, , DHCP.

IP- , ip route show table local type local.

, IP- , DOCKER :

sudo iptables -t nat -I DOCKER -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'DOCKER CHAIN '

/var/log/syslog.

Docker NAT table output sequence rule

More articles: