服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 当dockerhost的数据包工作时,如何让Docker转发远程数据包?
Intereting Posts
使用主动FTP模式而不是被动模式的风险 Ubuntu服务器权限问题 SSH VPN隧道 设置域控制器后无法连接到SQL Server 2008? 将stderrredirect到PowerShell中的variables 发现给定的子网在Active Directory子网中重叠 静音戴尔PowerEdge R710 有关php设置的统计信息/默认情况下安装了哪些扩展程序 什么是\\。\ BackOfficeStorage? Windows Server 2012 r2上意外禁用的RDP访问 将SQL Server的评估版本升级到许可版本 启用文件夹redirect后,办公室locking自动保存 最简单的方法来设置各种域名的电子邮件 为什么重置账户locking计数器应该小于账户locking持续时间? Win7通过GPO忽略RemoteDesktop的防火墙

当dockerhost的数据包工作时,如何让Docker转发远程数据包?

我已经build立了一个vpn的docker集装箱。 我使用–net选项添加了另一个带有Squid代理的容器,与vpn共享相同的networking。 从容器内运行traceroute,我可以看到stream量通过vpn路由。 Squid运行在默认端口3128上的代理容器中。如果我configuration了一个firefox来使用这个代理172.17.0.2:3128,它将使用代理来使用vpn访问Internet。 但是,为什么这只适用于我的docker主机? 如果我从我的工作站尝试,我会得到一个超时。 我可以使用telnet来尝试相同的事情,

在docker主机下面的结果超时, 

torbjorn@base telnet 192.168.1.100 3128

在docker主机上的连接, 

 torbjorn@base telnet localhost 3128

我进一步尝试了tcpdump和route,并得出结论,在第一种情况下丢包。 想到的一个可能性是,docker可能添加了一个路由,以便将来自docker主机的数据包路由回主机。 是否有可能从其他地方发送的数据包路由到VPN? 我能做些什么来解决这种情况,以便我可以从docker主机以外的其他机器使用这个HTTP代理?

我在docker主机和docker集装箱上启用了IP。

创builddocker集装箱 

 docker run --cap-add=NET_ADMIN --device /dev/net/tun --name vpn -p 3128:3128 --expose=3128 --volume /home/torbjorn/docker/troyc-openvpn-client:/vpn -d troyc/openvpn docker run --cap-add=NET_ADMIN --device /dev/net/tun --name proxy -p 3128:3128 --expose=3128 --net=container:vpn --volume /home/torbjorn/docker/squid/cache:/var/spool/squid3 -d sameersbn/squid:3.3.8-5

检查容器 

 torbjorn@base:~$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 72273f554ce7 sameersbn/squid:3.3.8-5 "/sbin/entrypoint.sh 2 weeks ago Up 6 minutes proxy 36161a9eb125 troyc/openvpn "openvpn --cd /vpn - 2 weeks ago Up 6 minutes 0.0.0.0:3128->3128/tcp vpn

docker主机的路由表,容器正在运行 

 torbjorn@base:~$ sudo iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0 MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:3128 Chain DOCKER (2 references) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 to:172.17.0.2:3128 torbjorn@base:~$ sudo iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:3128

docker主机的网关 

 torbjorn@base:~$ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default DD-WRT.local 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 * 255.255.0.0 U 0 0 0 docker0 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0

docker集装箱上的网关 

 root@36161a9eb125:/# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.114.0.1 128.0.0.0 UG 0 0 0 tun0 10.114.0.0 * 255.255.0.0 U 0 0 0 tun0 128.0.0.0 10.114.0.1 128.0.0.0 UG 0 0 0 tun0 172.17.0.0 * 255.255.0.0 U 0 0 0 eth0 se3.mullvad.net 172.17.42.1 255.255.255.255 UGH 0 0 0 eth0

一些ip路由的实验 

 root@36161a9eb125:/# ip route get to 192.168.1.100 from 172.17.0.12 192.168.1.100 from 172.17.0.12 via 10.114.0.1 dev tun0 cache torbjorn@base:~/docker$ ip route get to 172.17.0.12 from 192.168.1.100 172.17.0.12 from 192.168.1.100 dev docker0 cache torbjorn@base:~/docker$ ip route get to 192.168.1.100 from 172.17.0.12 RTNETLINK answers: Invalid argument

tcpdump的 

 torbjorn@base:~$ docker exec -it proxy tcpdump -vv -n -i any port 3128|tee tcpdump_local.txt tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 17:46:56.045708 IP (tos 0x0, ttl 64, id 7053, offset 0, flags [DF], proto TCP (6), length 60) 172.17.42.1.42855 > 172.17.0.12.3128: Flags [S], cksum 0x825e (incorrect -> 0x2a32), seq 1327404614, win 29200, options [mss 1460,sackOK,TS val 46042571 ecr 0,nop,wscale 7], length 0 17:46:56.045744 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 172.17.0.12.3128 > 172.17.42.1.42855: Flags [S.], cksum 0x825e (incorrect -> 0x388b), seq 284840194, ack 1327404615, win 28960, options [mss 1460,sackOK,TS val 46042571 ecr 46042571,nop,wscale 7], length 0 17:46:56.045773 IP (tos 0x0, ttl 64, id 7054, offset 0, flags [DF], proto TCP (6), length 52) 172.17.42.1.42855 > 172.17.0.12.3128: Flags [.], cksum 0x8256 (incorrect -> 0xd792), seq 1, ack 1, win 229, options [nop,nop,TS val 46042571 ecr 46042571], length 0 17:46:56.045902 IP (tos 0x0, ttl 64, id 7055, offset 0, flags [DF], proto TCP (6), length 130) 172.17.42.1.42855 > 172.17.0.12.3128: Flags [P.], cksum 0x82a4 (incorrect -> 0x65bd), seq 1:79, ack 1, win 229, options [nop,nop,TS val 46042571 ecr 46042571], length 78 17:46:56.045923 IP (tos 0x0, ttl 64, id 56520, offset 0, flags [DF], proto TCP (6), length 52) 172.17.0.12.3128 > 172.17.42.1.42855: Flags [.], cksum 0x8256 (incorrect -> 0xd746), seq 1, ack 79, win 227, options [nop,nop,TS val 46042571 ecr 46042571], length 0 17:46:56.046150 IP (tos 0x0, ttl 64, id 56521, offset 0, flags [DF], proto TCP (6), length 2948) 172.17.0.12.3128 > 172.17.42.1.42855: Flags [.], cksum 0x8da6 (incorrect -> 0x0688), seq 1:2897, ack 79, win 227, options [nop,nop,TS val 46042571 ecr 46042571], length 2896 17:46:56.046177 IP (tos 0x0, ttl 64, id 7056, offset 0, flags [DF], proto TCP (6), length 52) 172.17.42.1.42855 > 172.17.0.12.3128: Flags [.], cksum 0x8256 (incorrect -> 0xcbc7), seq 79, ack 2897, win 274, options [nop,nop,TS val 46042571 ecr 46042571], length 0 17:46:56.046190 IP (tos 0x0, ttl 64, id 56523, offset 0, flags [DF], proto TCP (6), length 674) 172.17.0.12.3128 > 172.17.42.1.42855: Flags [P.], cksum 0x84c4 (incorrect -> 0xb67b), seq 2897:3519, ack 79, win 227, options [nop,nop,TS val 46042571 ecr 46042571], length 622 17:46:56.046210 IP (tos 0x0, ttl 64, id 7057, offset 0, flags [DF], proto TCP (6), length 52) 172.17.42.1.42855 > 172.17.0.12.3128: Flags [.], cksum 0x8256 (incorrect -> 0xc943), seq 79, ack 3519, win 296, options [nop,nop,TS val 46042571 ecr 46042571], length 0 17:46:56.046308 IP (tos 0x0, ttl 64, id 56524, offset 0, flags [DF], proto TCP (6), length 52) 172.17.0.12.3128 > 172.17.42.1.42855: Flags [F.], cksum 0x8256 (incorrect -> 0xc987), seq 3519, ack 79, win 227, options [nop,nop,TS val 46042571 ecr 46042571], length 0 17:46:56.046464 IP (tos 0x0, ttl 64, id 7058, offset 0, flags [DF], proto TCP (6), length 52) 172.17.42.1.42855 > 172.17.0.12.3128: Flags [F.], cksum 0x8256 (incorrect -> 0xc940), seq 79, ack 3520, win 296, options [nop,nop,TS val 46042572 ecr 46042571], length 0 17:46:56.046477 IP (tos 0x0, ttl 64, id 56525, offset 0, flags [DF], proto TCP (6), length 52) 172.17.0.12.3128 > 172.17.42.1.42855: Flags [.], cksum 0x8256 (incorrect -> 0xc984), seq 3520, ack 80, win 227, options [nop,nop,TS val 46042572 ecr 46042572], length 0 ^C 12 packets captured 12 packets received by filter 0 packets dropped by kernel torbjorn@base:~$ docker exec -it proxy tcpdump -vv -n -i any port 3128|tee tcpdump_remote.txt tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 17:47:11.169767 IP (tos 0x0, ttl 64, id 10042, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.43194 > 172.17.0.12.3128: Flags [S], cksum 0x6e58 (incorrect -> 0xff57), seq 633650090, win 43690, options [mss 65495,sackOK,TS val 46046352 ecr 0,nop,wscale 7], length 0 17:47:12.166358 IP (tos 0x0, ttl 64, id 10043, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.43194 > 172.17.0.12.3128: Flags [S], cksum 0x6e58 (incorrect -> 0xfe5d), seq 633650090, win 43690, options [mss 65495,sackOK,TS val 46046602 ecr 0,nop,wscale 7], length 0 17:47:14.170364 IP (tos 0x0, ttl 64, id 10044, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.43194 > 172.17.0.12.3128: Flags [S], cksum 0x6e58 (incorrect -> 0xfc68), seq 633650090, win 43690, options [mss 65495,sackOK,TS val 46047103 ecr 0,nop,wscale 7], length 0 17:47:18.174355 IP (tos 0x0, ttl 64, id 10045, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.43194 > 172.17.0.12.3128: Flags [S], cksum 0x6e58 (incorrect -> 0xf87f), seq 633650090, win 43690, options [mss 65495,sackOK,TS val 46048104 ecr 0,nop,wscale 7], length 0 17:47:26.190369 IP (tos 0x0, ttl 64, id 10046, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.43194 > 172.17.0.12.3128: Flags [S], cksum 0x6e58 (incorrect -> 0xf0ab), seq 633650090, win 43690, options [mss 65495,sackOK,TS val 46050108 ecr 0,nop,wscale 7], length 0 17:47:42.206355 IP (tos 0x0, ttl 64, id 10047, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.43194 > 172.17.0.12.3128: Flags [S], cksum 0x6e58 (incorrect -> 0xe107), seq 633650090, win 43690, options [mss 65495,sackOK,TS val 46054112 ecr 0,nop,wscale 7], length 0 17:48:14.270363 IP (tos 0x0, ttl 64, id 10048, offset 0, flags [DF], proto TCP (6), length 60) 192.168.1.100.43194 > 172.17.0.12.3128: Flags [S], cksum 0x6e58 (incorrect -> 0xc1b7), seq 633650090, win 43690, options [mss 65495,sackOK,TS val 46062128 ecr 0,nop,wscale 7], length 0 ^C 7 packets captured 7 packets received by filter 0 packets dropped by kernel