安装docker后除ss-tproxy主机外，其他主机不能访问国内网站

用的是v2ray代理，纯tproxy,gfwlist模式，没有安装docker前，一切正常，但安装docker后同网段其他主机不能访问国内网站，恢复安装docker之前的iptables后又正常了。怎样做才能共存呢？

安装docker之前的iptables:

# Generated by xtables-save v1.8.2 on Mon Aug 26 19:09:19 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:SSTP_PREROUTING - [0:0]
:SSTP_OUTPUT - [0:0]
:SSTP_POSTROUTING - [0:0]
-A PREROUTING -j SSTP_PREROUTING
-A POSTROUTING -j SSTP_POSTROUTING
-A OUTPUT -j SSTP_OUTPUT
-A SSTP_PREROUTING -s 192.168.0.0/16 ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 60053
-A SSTP_OUTPUT -d 127.0.0.1/32 -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 60053
COMMIT
# Completed on Mon Aug 26 19:09:19 2019
# Generated by xtables-save v1.8.2 on Mon Aug 26 19:09:19 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:SSTP_PREROUTING - [0:0]
:SSTP_OUTPUT - [0:0]
:SSTP_RULE - [0:0]
-A PREROUTING -j SSTP_PREROUTING
-A OUTPUT -j SSTP_OUTPUT
-A SSTP_PREROUTING -s 192.168.0.0/16 ! -i lo -p udp -m udp --dport 53 -j RETURN
-A SSTP_PREROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 ! -i lo -p tcp -j SSTP_RULE
-A SSTP_PREROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 ! -i lo -p udp -j SSTP_RULE
-A SSTP_PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0
-A SSTP_PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0
-A SSTP_OUTPUT -o lo -j RETURN
-A SSTP_OUTPUT -d 192.168.0.0/16 -j RETURN
-A SSTP_OUTPUT -p tcp -j SSTP_RULE
-A SSTP_OUTPUT -p udp -j SSTP_RULE
-A SSTP_RULE -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A SSTP_RULE -m mark --mark 0x2333 -j RETURN
-A SSTP_RULE -d 34.80.246.250/32 -p tcp -m multiport --dports 80,443,1:65535 -j RETURN
-A SSTP_RULE -d 34.80.246.250/32 -p udp -m multiport --dports 80,443,1:65535 -j RETURN
-A SSTP_RULE -d 114.114.114.114/32 -p udp -m udp --dport 53 -j RETURN
-A SSTP_RULE -d 8.8.8.8/32 -p udp -m udp --dport 53 -j MARK --set-xmark 0x2333/0xffffffff
-A SSTP_RULE -d 8.8.8.8/32 -p udp -m udp --dport 53 -j RETURN
-A SSTP_RULE -p tcp -m set --match-set gfwlist dst -m multiport --dports 1:65535 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x2333/0xffffffff
-A SSTP_RULE -p udp -m set --match-set gfwlist dst -m multiport --dports 1:65535 -m conntrack --ctstate NEW -j MARK --set-xmark 0x2333/0xffffffff
-A SSTP_RULE -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Mon Aug 26 19:09:19 2019
# Generated by xtables-save v1.8.2 on Mon Aug 26 19:09:19 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Aug 26 19:09:19 2019

安装docker后的iptables:
# Generated by xtables-save v1.8.2 on Tue Aug 27 14:48:26 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue Aug 27 14:48:26 2019
# Generated by xtables-save v1.8.2 on Tue Aug 27 14:48:26 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:SSTP_PREROUTING - [0:0]
:SSTP_OUTPUT - [0:0]
:SSTP_POSTROUTING - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -j SSTP_PREROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j SSTP_POSTROUTING
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j SSTP_OUTPUT
-A DOCKER -i docker0 -j RETURN
-A SSTP_PREROUTING -s 192.168.0.0/16 ! -i lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 60053
-A SSTP_OUTPUT -d 127.0.0.1/32 -o lo -p udp -m udp --dport 53 -j REDIRECT --to-ports 60053
COMMIT
# Completed on Tue Aug 27 14:48:26 2019
# Generated by xtables-save v1.8.2 on Tue Aug 27 14:48:26 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:SSTP_PREROUTING - [0:0]
:SSTP_OUTPUT - [0:0]
:SSTP_RULE - [0:0]
-A PREROUTING -j SSTP_PREROUTING
-A OUTPUT -j SSTP_OUTPUT
-A SSTP_PREROUTING -s 192.168.0.0/16 ! -i lo -p udp -m udp --dport 53 -j RETURN
-A SSTP_PREROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 ! -i lo -p tcp -j SSTP_RULE
-A SSTP_PREROUTING -s 192.168.0.0/16 ! -d 192.168.0.0/16 ! -i lo -p udp -j SSTP_RULE
-A SSTP_PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0
-A SSTP_PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-port 60080 --on-ip 127.0.0.1 --tproxy-mark 0x0/0x0
-A SSTP_OUTPUT -o lo -j RETURN
-A SSTP_OUTPUT -d 192.168.0.0/16 -j RETURN
-A SSTP_OUTPUT -p tcp -j SSTP_RULE
-A SSTP_OUTPUT -p udp -j SSTP_RULE
-A SSTP_RULE -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A SSTP_RULE -m mark --mark 0x2333 -j RETURN
-A SSTP_RULE -d 34.80.246.250/32 -p tcp -m multiport --dports 80,443,1:65535 -j RETURN
-A SSTP_RULE -d 34.80.246.250/32 -p udp -m multiport --dports 80,443,1:65535 -j RETURN
-A SSTP_RULE -d 114.114.114.114/32 -p udp -m udp --dport 53 -j RETURN
-A SSTP_RULE -d 8.8.8.8/32 -p udp -m udp --dport 53 -j MARK --set-xmark 0x2333/0xffffffff
-A SSTP_RULE -d 8.8.8.8/32 -p udp -m udp --dport 53 -j RETURN
-A SSTP_RULE -p tcp -m set --match-set gfwlist dst -m multiport --dports 1:65535 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j MARK --set-xmark 0x2333/0xffffffff
-A SSTP_RULE -p udp -m set --match-set gfwlist dst -m multiport --dports 1:65535 -m conntrack --ctstate NEW -j MARK --set-xmark 0x2333/0xffffffff
-A SSTP_RULE -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Tue Aug 27 14:48:26 2019

斐讯N1安装armbian（192.168.0.218）作旁路网关 1.先安装ss-tproxy，ipts_set_snat此时默认为false,再安装docker，安装完后，再将ipts_set_snat设为true,这时就正常了。 2，先安装ss-tproxy,此时将ipts_set_snat设为true,再安装docker,这种情况仍然访问不了国内网站。

以下是1，2分别对应的iptables:

==> iptables-mangle <==
Chain PREROUTING (policy ACCEPT 885 packets, 626K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      885  626K SSTP_PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 88 packets, 7556 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 797 packets, 618K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 51 packets, 5128 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       51  5128 SSTP_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 848 packets, 624K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain SSTP_PREROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       10   622 RETURN     udp  --  !lo    *       192.168.0.0/16       0.0.0.0/0            udp dpt:53
2      386 67367 SSTP_RULE  tcp  --  !lo    *       192.168.0.0/16      !192.168.0.0/16
3       15  1278 SSTP_RULE  udp  --  !lo    *       192.168.0.0/16      !192.168.0.0/16
4        0     0 TPROXY     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2333 TPROXY redirect 127.0.0.1:60080 mark 0x0/0x0
5        0     0 TPROXY     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2333 TPROXY redirect 127.0.0.1:60080 mark 0x0/0x0

Chain SSTP_OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
2       36  3499 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
3        0     0 SSTP_RULE  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
4       10   622 SSTP_RULE  udp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SSTP_RULE (4 references)
num   pkts bytes target     prot opt in     out     source               destination
1      411 69267 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
2        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2333
3        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            34.80.246.250        multiport dports 80,443,1:65535
4        0     0 RETURN     udp  --  *      *       0.0.0.0/0            34.80.246.250        multiport dports 80,443,1:65535
5       10   622 RETURN     udp  --  *      *       0.0.0.0/0            114.114.114.114      udp dpt:53
6        0     0 MARK       udp  --  *      *       0.0.0.0/0            8.8.8.8              udp dpt:53 MARK set 0x2333
7        0     0 RETURN     udp  --  *      *       0.0.0.0/0            8.8.8.8              udp dpt:53
8        0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set gfwlist dst multiport dports 1:65535 tcp flags:0x17/0x02 MARK set 0x2333
9        0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set gfwlist dst multiport dports 1:65535 ctstate NEW MARK set 0x2333
10     401 68645 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save

==> iptables-nat <==
Chain PREROUTING (policy ACCEPT 41 packets, 2532 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       46  2843 SSTP_PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2        0     0 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 14 packets, 1123 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
2       37  2031 SSTP_POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3        0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:9000

Chain OUTPUT (policy ACCEPT 5 packets, 311 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        5   311 SSTP_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2        0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain SSTP_PREROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        5   311 REDIRECT   udp  --  !lo    *       192.168.0.0/16       0.0.0.0/0            udp dpt:53 redir ports 60053

Chain SSTP_OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REDIRECT   udp  --  *      lo      0.0.0.0/0            127.0.0.1            udp dpt:53 redir ports 60053

Chain SSTP_POSTROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       31  1668 MASQUERADE  tcp  --  *      *       192.168.0.0/16      !192.168.0.0/16       tcp flags:0x17/0x02
2        6   363 MASQUERADE  udp  --  *      *       192.168.0.0/16      !192.168.0.0/16       ctstate NEW
3        0     0 MASQUERADE  icmp --  *      *       192.168.0.0/16      !192.168.0.0/16       ctstate NEW

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
2        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9000 to:172.17.0.2:9000

=================================================================

==> iptables-mangle <==
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1181 84552 SSTP_PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      293 39034 SSTP_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain SSTP_PREROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       22  1406 RETURN     udp  --  !lo    *       192.168.0.0/16       0.0.0.0/0            udp dpt:53
2      709 38251 SSTP_RULE  tcp  --  !lo    *       192.168.0.0/16      !192.168.0.0/16
3       84  6305 SSTP_RULE  udp  --  !lo    *       192.168.0.0/16      !192.168.0.0/16
4        0     0 TPROXY     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2333 TPROXY redirect 127.0.0.1:60080 mark 0x0/0x0
5        0     0 TPROXY     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2333 TPROXY redirect 127.0.0.1:60080 mark 0x0/0x0

Chain SSTP_OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       24  2379 RETURN     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
2      137 26431 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/16
3        5   200 SSTP_RULE  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
4      120  8806 SSTP_RULE  udp  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SSTP_RULE (4 references)
num   pkts bytes target     prot opt in     out     source               destination
1      918 53562 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
2        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2333
3        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            34.80.246.250        multiport dports 80,443,1:65535
4        0     0 RETURN     udp  --  *      *       0.0.0.0/0            34.80.246.250        multiport dports 80,443,1:65535
5       28  1814 RETURN     udp  --  *      *       0.0.0.0/0            114.114.114.114      udp dpt:53
6        0     0 MARK       udp  --  *      *       0.0.0.0/0            8.8.8.8              udp dpt:53 MARK set 0x2333
7        0     0 RETURN     udp  --  *      *       0.0.0.0/0            8.8.8.8              udp dpt:53
8        0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set gfwlist dst multiport dports 1:65535 tcp flags:0x17/0x02 MARK set 0x2333
9        0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set gfwlist dst multiport dports 1:65535 ctstate NEW MARK set 0x2333
10     890 51748 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save

==> iptables-nat <==
Chain PREROUTING (policy ACCEPT 749 packets, 44136 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       19  1613 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
2      759 44759 SSTP_PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 111 packets, 9024 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 11 packets, 693 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
2        0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:9000
3       38  2595 SSTP_POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 39 packets, 2652 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       45  3054 SSTP_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2        0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL
3       32  2193 SSTP_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SSTP_OUTPUT (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        6   402 REDIRECT   udp  --  *      lo      0.0.0.0/0            127.0.0.1            udp dpt:53 redir ports 60053
2        0     0 REDIRECT   udp  --  *      lo      0.0.0.0/0            127.0.0.1            udp dpt:53 redir ports 60053

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
2        0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9000 to:172.17.0.2:9000

Chain SSTP_PREROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1       15   949 REDIRECT   udp  --  !lo    *       192.168.0.0/16       0.0.0.0/0            udp dpt:53 redir ports 60053

Chain SSTP_POSTROUTING (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MASQUERADE  tcp  --  *      *       192.168.0.0/16      !192.168.0.0/16       tcp flags:0x17/0x02
2       32  2193 MASQUERADE  udp  --  *      *       192.168.0.0/16      !192.168.0.0/16       ctstate NEW
3        0     0 MASQUERADE  icmp --  *      *       192.168.0.0/16      !192.168.0.0/16       ctstate NEW

zfl9 / ss-tproxy

安装docker后除ss-tproxy主机外，其他主机不能访问国内网站 #62