参考https://docs.docker.com/network/iptables/
这里面说明了添加的规则，添加完成后是可以生效，问题是系统重启呢？或者docker重启呢都会重新写iptables规则，添加就失效了
所以好的办法是放在docker重启后添加。

[root@CentOS7-6 middleware]# cat  set_rule.sh
#!/bin/bash
rule_num=$(iptables -L DOCKER -n --line-number |  grep 9200 |  awk '{print $1}')
if [ "$rule_num" != ""  ];then
  iptables -R DOCKER $rule_num  -p tcp -m tcp -s  10.6.118.22 --dport 9200 -j ACCEPT ;
  echo  "set rule ok"
else
  echo "iptables rule needn't set."
fi
[root@CentOS7-6 middleware]# cat /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Wants=docker.socket

[Service]
Type=notify
Environment=GOTRACEBACK=crash
ExecReload=/bin/kill -s HUP $MAINPID
Delegate=yes
KillMode=process
ExecStart=/usr/bin/dockerd \
        --default-address-pool base=172.17.0.0,size=16 \
        --insecure-registry=intranet.uihcloud.registry:5000 \
        --data-root /data/docker_lib \
        --log-opt max-size=10m \
        --log-opt max-file=3
ExecStartPost=/var/middleware/set_rule.sh
TasksMax=infinity
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
TimeoutStartSec=1min
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

还看到有一种方式添加privileged=true http://www.manongjc.com/article/127102.html 待测试。