我正在使用Docker 0.7.0在RedHat Enterprise Linux 6.5上创build容器。 防火墙closures时,容器可以与外界通话,但防火墙打开时,容器不能从外部访问。
这就是我如何运行docker和从主机到容器映射端口
$ docker run -i -t -p 3838:3838 shiny "shiny-server" 如果没有防火墙,我可以从外部networking访问在端口3838上的容器内运行的Node.js服务器,如http://servername:3838 ,但不打开防火墙。
这些是我的默认防火墙规则 –
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
我试图通过添加一个规则如下打开一个端口3838,但它不起作用
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3838 -j ACCEPT
Docker正在主机上创build一个虚拟NAT,我觉得防火墙阻止了从eth0到docker 0的数据包转发
我需要帮助configurationiptables,以便可以从外部networking访问Docker容器,而无需closures整个防火墙。
这是$ ifconfig的输出(我已经屏蔽了服务器IP)
docker0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::87d:8dff:fed0:f16d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:408321 errors:0 dropped:0 overruns:0 frame:0 TX packets:681809 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:126511933 (120.6 MiB) TX bytes:924200959 (881.3 MiB) eth0 Link encap:Ethernet HWaddr 00:25:64:A8:5B:8F inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.XXX Mask:255.255.240.0 inet6 addr: XXXX::XXX:XXXX:XXXX:XXXX/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29786186 errors:0 dropped:0 overruns:0 frame:0 TX packets:1137982 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4209047011 (3.9 GiB) TX bytes:234657696 (223.7 MiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8444 errors:0 dropped:0 overruns:0 frame:0 TX packets:8444 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4701771 (4.4 MiB) TX bytes:4701771 (4.4 MiB)
$ docker版本的输出:
Client version: 0.7.0 Go version (client): go1.1.2 Git commit (client): 0ff9bc1/0.7.0 Server version: 0.7.0 Git commit (server): 0ff9bc1/0.7.0 Go version (server): go1.1.2 Last stable version: 0.7.2, please update docker
$ docker info的输出:
Containers: 321 Images: 278 Driver: devicemapper Pool Name: docker-8:17-13239310-pool Data file: /var/lib/docker/devicemapper/devicemapper/data Metadata file: /var/lib/docker/devicemapper/devicemapper/metadata Data Space Used: 56464.5 Mb Data Space Total: 102400.0 Mb Metadata Space Used: 59.5 Mb Metadata Space Total: 2048.0 Mb
我相信你也必须允许FORWARD链上的数据包。 您还需要确保您添加的允许规则来自REJECT规则之前,因为iptables在首次匹配的基础上工作。
我有一个类似的问题,解决scheme缺lessMasquarading – 也不能解释为什么它适用于你没有过滤规则。
你如何尝试添加以下规则:
*filter [...] -A FORWARD -d 172.17.42.0/16 -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 172.17.42.0/16 -i docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -o docker0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i docker0 -j REJECT --reject-with icmp-port-unreachable *nat [...] -A POSTROUTING -s 172.17.42.0/16 ! -d 172.17.42.0/16 -p tcp -j MASQUERADE --to-ports 1016-65535 -A POSTROUTING -s 172.17.42.0/16 ! -d 172.17.42.0/16 -p udp -j MASQUERADE --to-ports 1016-65535 -A POSTROUTING -s 172.17.42.0/16 ! -d 172.17.42.0/16 -j MASQUERADE