-systemctl status firewalld | grep -q "running" && { +command -v firewall-cmd > /dev/null || {
- echo "firewalld.service could not be found"
- exit 0
That makes this script depending on firewalld. We should behave equally well without it.
下面的防火墙规则, 有需要执行的吗? 在没有firewalld的时候.
I think the follow 4 lines need to be executed if no firewalld.
+DOCKER0_IFACE=docker0 +DOCKER0_SUBNET=172.17.0.0/16 +iptables -t nat -A POSTROUTING -o $PUB_IFACE -s $DOCKER0_SUBNET -j MASQUERADE +iptables -t nat -A POSTROUTING -o $DOCKER0_IFACE -d $DOCKER0_SUBNET -j MASQUERADE
-------- Thanks Yu Chuan
Thanks, Fengguang
+}
+systemctl start firewalld +[ "$(systemctl is-active firewalld)" == "active" ] || {
- echo "start firewalld.service failed"
- exit 0
+}
DOCKER0_IFACE=docker0DOCKER0_SUBNET=172.17.0.0/16+DOCKER0_IFACE=docker0 +DOCKER0_SUBNET=172.17.0.0/16
iptables -t nat -A POSTROUTING -o $PUB_IFACE -s $DOCKER0_SUBNET -j MASQUERADEiptables -t nat -A POSTROUTING -o $DOCKER0_IFACE -d $DOCKER0_SUBNET -j MASQUERADE+iptables -t nat -A POSTROUTING -o $PUB_IFACE -s $DOCKER0_SUBNET -j MASQUERADE +iptables -t nat -A POSTROUTING -o $DOCKER0_IFACE -d $DOCKER0_SUBNET -j MASQUERADE
firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 source address=$DOCKER0_SUBNET accept"firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 source address=$BR0_SUBNET accept"firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 source address=0.0.0.0/32 accept"-} +firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 source address=$DOCKER0_SUBNET accept" +firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 source address=$BR0_SUBNET accept"
+firewall-cmd --zone=public --add-rich-rule="rule family=ipv4 source address=0.0.0.0/32 accept"
2.23.0