虽然我没有在主机或两个容器上添加任何iptables规则,但来自一个码头容器的数据包被修改,并给出了码头网络网关的IP:
集装箱1:
bash-5.0# ip route
default via 172.16.238.2 dev eth0
10.6.0.0/24 via 172.16.238.1 dev eth0
172.16.238.0/24 dev eth0 scope link src 172.16.238.7
bash-5.0# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
23: eth0@if24: mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:10:ee:07 brd ff:ff:ff:ff:ff:ff
inet 172.16.238.7/24 brd 172.16.238.255 scope global eth0
valid_lft forever preferred_lft forever
bash-5.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
--- 1.1.1.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss集装箱2:
root@c8d6fa7eab4d:/# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wg0: mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 100.71.37.47/32 scope global wg0
valid_lft forever preferred_lft forever
17: eth0@if18: mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:10:ee:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.238.2/24 brd 172.16.238.255 scope global eth0
valid_lft forever preferred_lft forever
root@c8d6fa7eab4d:/# tcpdump -i eth0 dst 1.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:34:06.910548 IP 172.16.238.1 > one.one.one.one: ICMP echo request, id 5632, seq 36, length 64
16:34:07.910920 IP 172.16.238.1 > one.one.one.one: ICMP echo request, id 5632, seq 37, length 64
16:34:08.911322 IP 172.16.238.1 > one.one.one.one: ICMP echo request, id 5632, seq 38, length 64
16:34:09.911709 IP 172.16.238.1 > one.one.one.one: ICMP echo request, id 5632, seq 39, length 64
16:34:10.912143 IP 172.16.238.1 > one.one.one.one: ICMP echo request, id 5632, seq 40, length 64
16:34:11.912504 IP 172.16.238.1 > one.one.one.one: ICMP echo request, id 5632, seq 41, length 64
16:34:12.912932 IP 172.16.238.1 > one.one.one.one: ICMP echo request, id 5632, seq 42, length 64
^C
7 packets captured
9 packets received by filter
0 packets dropped by kernel主机:
root@raspberrypi:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !172.16.238.0/24 172.16.238.2
MASQUERADE all -- !172.16.238.0/24 172.16.238.2
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- 172.16.238.0/24 anywhere
MASQUERADE all -- !172.16.238.0/24 172.16.238.2
MASQUERADE all -- 10.6.0.0/24 anywhere /* wireguard-nat-rule */
MASQUERADE all -- !172.16.238.0/24 172.16.238.2
MASQUERADE all -- 172.16.238.0/24 anywhere
MASQUERADE tcp -- 172.16.238.4 172.16.238.4 tcp dpt:https
MASQUERADE tcp -- 172.16.238.4 172.16.238.4 tcp dpt:http
MASQUERADE tcp -- 172.16.238.4 172.16.238.4 tcp dpt:domain
MASQUERADE udp -- 172.16.238.4 172.16.238.4 udp dpt:domain
MASQUERADE tcp -- 172.16.238.5 172.16.238.5 tcp dpt:https
MASQUERADE tcp -- 172.16.238.5 172.16.238.5 tcp dpt:http
MASQUERADE tcp -- 172.16.238.5 172.16.238.5 tcp dpt:domain
MASQUERADE udp -- 172.16.238.5 172.16.238.5 udp dpt:domain
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere 192.168.178.2 tcp dpt:https to:172.16.238.4:443
DNAT tcp -- anywhere 192.168.178.2 tcp dpt:http to:172.16.238.4:80
DNAT tcp -- anywhere 192.168.178.2 tcp dpt:domain to:172.16.238.4:53
DNAT udp -- anywhere 192.168.178.2 udp dpt:domain to:172.16.238.4:53
DNAT tcp -- anywhere 192.168.178.3 tcp dpt:https to:172.16.238.5:443
DNAT tcp -- anywhere 192.168.178.3 tcp dpt:http to:172.16.238.5:80
DNAT tcp -- anywhere 192.168.178.3 tcp dpt:domain to:172.16.238.5:53
DNAT udp -- anywhere 192.168.178.3 udp dpt:domain to:172.16.238.5:53
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@raspberrypi:~# iptables-legacy -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT发布于 2021-03-01 19:14:32
默认情况下,容器间连接(ICC)是启用的,并且它是将容器自动连接在一起的,而不使用--link或定义network。
如果您想禁用它,请在您的Docker守护进程配置( icc: false )中设置它
如果未定义或设置为true,则Docker将创建连接网络并创建容器。这些网络是您看到的iptable规则的来源。
更多见官方码头网桥网络教程。
发布于 2022-10-13 08:27:46
我也有同样的问题,对我来说,这与:
https://github.com/moby/moby/issues/43440
问题是我创建了一个Docker网络,然后删除它,然后再创建另一个网络。Docker很聪明,可以重用相同的IP范围(在我的例子中是172.18.0.0/16),但是firewalld似乎跟踪了以前的Docker网络:
# iptables -t nat -S
...
-A POSTROUTING -s 172.18.0.0/16 ! -o br-4a99e748fcc1 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-9dbbf26e610f -j MASQUERADE
...其中br-4a99e748fcc1确实是现有的接口,但br-9dbbf26e610f是剩下的.(从firewalld中删除但不是永久抑制)。
# ip add show br-9dbbf26e610f
Device "br-9dbbf26e610f" does not exist.如果我删除了错误的线路,一切都会好起来: NAT发夹(源IP被网关地址取代)不再发生:
# iptables -t nat -D POSTROUTING -s 172.18.0.0/16 ! -o br-9dbbf26e610f -j MASQUERADE这是完全有意义的:规则说任何数据包
应该经过化妆舞会..。当然,没有任何数据包通过这个不存在的接口(!)因此,这会导致伪装您的码头网络中的所有in。
正如在上面的Docker问题中所解释的那样,我最终调用firewall-cmd从docker区域中删除僵尸接口。这必须在Docker守护进程关闭时完成,因为seemes可以跟踪这些僵尸接口,否则.
systemctl stop docker
for interface in $(firewall-cmd --zone=docker --list-interfaces)
do
if ! ip link ls "${interface}" >/dev/null 2>&1
then
firewall-cmd --zone=docker --remove-interface="${interface}"
firewall-cmd --runtime-to-permanent
firewall-cmd --reload
fi
done
systemctl start dockerhttps://serverfault.com/questions/1051286
复制相似问题