Docker maps the host port when it is running. Do you still need to open it in iptables?

  docker, question
Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500,1701
 ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
 ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500
 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:500
 ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500
 ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1701
 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1723
 
 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination
 DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
 ACCEPT     all  --  192.168.18.0/24      0.0.0.0/0
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 ACCEPT     all  --  10.31.0.0/24         0.0.0.0/0
 ACCEPT     all  --  10.31.1.0/24         0.0.0.0/0
 ACCEPT     all  --  10.31.2.0/24         0.0.0.0/0
 
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination
 
 Chain DOCKER (2 references)
 target     prot opt source               destination
 ACCEPT     udp  --  0.0.0.0/0            172.17.0.2           udp dpt:4500
 ACCEPT     udp  --  0.0.0.0/0            172.17.0.2           udp dpt:500
 ACCEPT     tcp  --  0.0.0.0/0            172.17.0.3           tcp dpt:80
 ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:443
 ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:80
 ACCEPT     tcp  --  0.0.0.0/0            172.17.0.7           tcp dpt:9001
 ACCEPT     tcp  --  0.0.0.0/0            172.18.0.2           tcp dpt:993
 ACCEPT     tcp  --  0.0.0.0/0            172.18.0.2           tcp dpt:587
 ACCEPT     tcp  --  0.0.0.0/0            172.18.0.2           tcp dpt:143
 ACCEPT     tcp  --  0.0.0.0/0            172.18.0.2           tcp dpt:25
 
 Chain DOCKER-ISOLATION (1 references)
 target     prot opt source               destination
 DROP       all  --  0.0.0.0/0            0.0.0.0/0
 DROP       all  --  0.0.0.0/0            0.0.0.0/0
 RETURN     all  --  0.0.0.0/0            0.0.0.0/0

The following 25,143,587 should be added automatically by docker. Do I need to open the corresponding ports of the host to access them?

Depending on your docker’s network mode,

  1. If it is bridge mode, the port mapping rule is ip:port:targetPort.

    1. For example, 0.0.0.0:80:8080, this situation indicates that the 80 port of the sink host is mapped to the 8080 port of the container, and there is no restriction on IP. In this case, any 80 port request to the sink host will be forwarded to the 8080 port in the container without additional iptables settings. (Even if the firewall does not open port 80 in advance, it is feasible. Because port mapping modifies iptables rules itself).

    2. If an IP address is explicitly specified, the iptables rule will restrict access to port 8080 in the container only through port 80 of that IP. Docker port mapping is actually network interworking implemented by modifying iptables rules.

  2. If it is in net mode, it is the same as if you had a port monitor on the host computer. There will be no additional changes to the iptables rules. In this case, you need to manually set iptables to allow external access.