Atualmente estou enfrentando problemas com o roteamento de tráfego de fora para um contêiner docker.
Esta é a minha configuração:
- Anfitrião Rocky Linux 9.4
- Rede Docker (bridge) com faixa de IP 172.20.0.0/16
- 3 contêineres docker (executando mecanismo de varredura Rapid7, mas isso não é importante), cada um tem um serviço disponÃvel na porta 40814, mas não são exportados, além disso, cada servidor possui um IP estático (172.20.0.2-4) nessa rede docker
- configuração do firewalld no host:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client ssh
ports: 10050/tcp 40814/tcp
protocols:
forward: yes
masquerade: yes
forward-ports:
port=40814:proto=tcp:toport=40814:toaddr=172.20.0.2
source-ports:
icmp-blocks:
rich rules:
O que estou tentando alcançar é que, com base em um determinado IP de origem (outro servidor na minha rede), eu gostaria de rotear o tráfego para um dos três contêineres do docker. O outro servidor conhece apenas o IP do meu servidor Rocky Linux e a porta 40814, então o servidor Rocky Linux decide para qual docker rotear o tráfego. Esta não é uma tentativa de balanceamento de carga.
Consigo verificar se o contêiner do docker está funcionando corretamente telnet 172.20.0.2 40814(do servidor host/rocky linux), que mostra tentativas de conexão nos logs do contêiner do docker, mas quando tento fazer telnet 10.0.20.123 40814(ip do servidor rocky linux) de outros servidores no meu rede, eu só consigo Trying 10.0.20.123.... Tentar qualquer outra porta nesse IP termina imediatamente em Connection refused. Os logs também não relatam tentativas de conexão.
Eu tentei diferentes configurações de firewall como esta:
One:
firewall-cmd --add-rich-rule='rule
family="ipv4" \
source address="10.0.20.120/32" \
port protocol="tcp" port="40814" accept'
firewall-cmd --add-forward-port=port=40814:proto=tcp:toport=40814:toaddr=172.20.0.2
firewall-cmd --zone=public --add-forward-port=port=41814:proto=tcp:toaddr=172.20.0.2:toport=40814 --permanent
Two:
firewall-cmd --add-rich-rule='rule
family="ipv4" \
source address="10.0.20.120/32" \
forward-port protocol="tcp" port="41814" toport=40814 toaddr=172.20.0.2'
SELinux é Enforcing, mas não tenho certeza se isso faz diferença.
Você pode ajudar? Muito obrigado!
Editar: adicionando mais algumas informações
informações do docker relacionadas à rede:
"NetworkSettings": {
"Bridge": "",
"SandboxID": "06e60f163d002b1ef377542172f4007dcfa33749bf104315047921ac8af0d8c0",
"SandboxKey": "/var/run/docker/netns/06e60f163d00",
"Ports": {},
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {
"se-net": {
"IPAMConfig": {
"IPv4Address": "172.20.0.2"
},
"Links": null,
"Aliases": [
"nse-1",
"nse-1"
],
"MacAddress": "02:42:ac:14:00:02",
"DriverOpts": null,
"NetworkID": "ae57f90864d9171ee342803f1ce2d336db530482f000e8a7c2c4ef44fb9f09b9",
"EndpointID": "9f12ea7fca0ce272d3cfcd4797a4d68d88c9542d2b2ce7616581a0f2aff32f90",
"Gateway": "172.20.0.1",
"IPAddress": "172.20.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"DNSNames": [
"nse-1",
"7ee892f16d9f"
]
}
}
}
iptables-save
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jul 26 10:56:54 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [822:49320]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-ae57f90864d9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-ae57f90864d9 -j DOCKER
-A FORWARD -i br-ae57f90864d9 ! -o br-ae57f90864d9 -j ACCEPT
-A FORWARD -i br-ae57f90864d9 -o br-ae57f90864d9 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-ae57f90864d9 ! -o br-ae57f90864d9 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-ae57f90864d9 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Jul 26 10:56:54 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jul 26 10:56:54 2024
*nat
:PREROUTING ACCEPT [434998:26094074]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [62817:4380590]
:POSTROUTING ACCEPT [62817:4380590]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.20.0.0/16 ! -o br-ae57f90864d9 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i br-ae57f90864d9 -j RETURN
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Jul 26 10:56:54 2024
conjunto de regras da lista NFT
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "br-ae57f90864d9" counter packets 0 bytes 0 return
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 172.20.0.0/16 oifname != "br-ae57f90864d9" counter packets 15 bytes 900 masquerade
ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 433464 bytes 26008040 jump DOCKER
}
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 15 bytes 900 jump DOCKER-ISOLATION-STAGE-2
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 20043 bytes 21105956 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "br-ae57f90864d9" counter packets 0 bytes 0 drop
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 6609 bytes 387973 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 821 bytes 49260 jump DOCKER-USER
counter packets 821 bytes 49260 jump DOCKER-ISOLATION-STAGE-1
oifname "br-ae57f90864d9" ct state related,established counter packets 0 bytes 0 accept
oifname "br-ae57f90864d9" counter packets 0 bytes 0 jump DOCKER
iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 15 bytes 900 accept
iifname "br-ae57f90864d9" oifname "br-ae57f90864d9" counter packets 0 bytes 0 accept
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 870 bytes 52200 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 20043 bytes 21105956 return
}
}
table ip6 nat {
chain DOCKER {
}
}
table ip6 filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "br-ae57f90864d9" counter packets 0 bytes 0 drop
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump DOCKER-USER
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "br-ae57f90864d9" goto mangle_PRE_docker
iifname "docker0" goto mangle_PRE_docker
iifname "ens192" goto mangle_PRE_public
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "br-ae57f90864d9" goto nat_PRE_docker
iifname "docker0" goto nat_PRE_docker
iifname "ens192" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
oifname { "docker0", "br-ae57f90864d9" } jump nat_POST_policy_docker-forwarding
}
chain nat_POSTROUTING_ZONES {
oifname "br-ae57f90864d9" goto nat_POST_docker
oifname "docker0" goto nat_POST_docker
oifname "ens192" goto nat_POST_public
goto nat_POST_public
}
chain nat_POSTROUTING_POLICIES_post {
}
chain nat_OUTPUT {
type nat hook output priority dstnat + 10; policy accept;
jump nat_OUTPUT_POLICIES_pre
jump nat_OUTPUT_POLICIES_post
}
chain nat_OUTPUT_POLICIES_pre {
}
chain nat_OUTPUT_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
jump filter_INPUT_ZONES
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "br-ae57f90864d9" goto filter_IN_docker
iifname "docker0" goto filter_IN_docker
iifname "ens192" goto filter_IN_public
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
oifname { "docker0", "br-ae57f90864d9" } jump filter_FWD_policy_docker-forwarding
}
chain filter_FORWARD_ZONES {
iifname "br-ae57f90864d9" goto filter_FWD_docker
iifname "docker0" goto filter_FWD_docker
iifname "ens192" goto filter_FWD_public
goto filter_FWD_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 accept
ip6 daddr fe80::/64 udp dport 546 accept
tcp dport 9090 accept
tcp dport 10050 accept
tcp dport 40814 accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
oifname "ens192" accept
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.17.0.2:40814
ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.20.0.2:40814
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_IN_docker {
jump filter_INPUT_POLICIES_pre
jump filter_IN_docker_pre
jump filter_IN_docker_log
jump filter_IN_docker_deny
jump filter_IN_docker_allow
jump filter_IN_docker_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_docker_pre {
}
chain filter_IN_docker_log {
}
chain filter_IN_docker_deny {
}
chain filter_IN_docker_allow {
}
chain filter_IN_docker_post {
}
chain nat_POST_docker {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_docker_pre
jump nat_POST_docker_log
jump nat_POST_docker_deny
jump nat_POST_docker_allow
jump nat_POST_docker_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_docker_pre {
}
chain nat_POST_docker_log {
}
chain nat_POST_docker_deny {
}
chain nat_POST_docker_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_docker_post {
}
chain filter_FWD_docker {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_docker_pre
jump filter_FWD_docker_log
jump filter_FWD_docker_deny
jump filter_FWD_docker_allow
jump filter_FWD_docker_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_docker_pre {
}
chain filter_FWD_docker_log {
}
chain filter_FWD_docker_deny {
}
chain filter_FWD_docker_allow {
oifname "docker0" accept
oifname "br-ae57f90864d9" accept
}
chain filter_FWD_docker_post {
}
chain nat_PRE_docker {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_docker_pre
jump nat_PRE_docker_log
jump nat_PRE_docker_deny
jump nat_PRE_docker_allow
jump nat_PRE_docker_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_docker_pre {
}
chain nat_PRE_docker_log {
}
chain nat_PRE_docker_deny {
}
chain nat_PRE_docker_allow {
ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.20.0.2:40814
}
chain nat_PRE_docker_post {
}
chain mangle_PRE_docker {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_docker_pre
jump mangle_PRE_docker_log
jump mangle_PRE_docker_deny
jump mangle_PRE_docker_allow
jump mangle_PRE_docker_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_docker_pre {
}
chain mangle_PRE_docker_log {
}
chain mangle_PRE_docker_deny {
}
chain mangle_PRE_docker_allow {
}
chain mangle_PRE_docker_post {
}
chain filter_FWD_policy_docker-forwarding {
jump filter_FWD_policy_docker-forwarding_pre
jump filter_FWD_policy_docker-forwarding_log
jump filter_FWD_policy_docker-forwarding_deny
jump filter_FWD_policy_docker-forwarding_allow
jump filter_FWD_policy_docker-forwarding_post
accept
}
chain filter_FWD_policy_docker-forwarding_pre {
}
chain filter_FWD_policy_docker-forwarding_log {
}
chain filter_FWD_policy_docker-forwarding_deny {
}
chain filter_FWD_policy_docker-forwarding_allow {
}
chain filter_FWD_policy_docker-forwarding_post {
}
chain nat_POST_policy_docker-forwarding {
jump nat_POST_policy_docker-forwarding_pre
jump nat_POST_policy_docker-forwarding_log
jump nat_POST_policy_docker-forwarding_deny
jump nat_POST_policy_docker-forwarding_allow
jump nat_POST_policy_docker-forwarding_post
}
chain nat_POST_policy_docker-forwarding_pre {
}
chain nat_POST_policy_docker-forwarding_log {
}
chain nat_POST_policy_docker-forwarding_deny {
}
chain nat_POST_policy_docker-forwarding_allow {
}
chain nat_POST_policy_docker-forwarding_post {
}
}
firewall-cmd --listar todas as zonas
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-ae57f90864d9 docker0
sources:
services:
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.20.120/32" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.20.0.2"
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client ssh
ports: 10050/tcp 40814/tcp
protocols:
forward: yes
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.0.20.120" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.20.0.2"
rule family="ipv4" source address="10.0.20.120" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.17.0.2"
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
O comando que você precisa seria:
(Observe que esta regra pode ter um "efeito colateral" inesperado se for esperado que o host roteie certos tráfegos para algum outro host/contêiner, ou seja, quando o IP de destino (original) não for um de seu próprio IP; em outras palavras, quando o IP de destino Provavelmente não se espera que NAT /
forward-portentre em vigor. Você pode querer, por exemplo, adicionar algodestination address=10.0.20.123à regra para limitar o "escopo" da regra.)Porém, o problema é que você tem uma
filtertabela que possui umahook forwardcadeia com a polÃtica sendodrop. A tabela NÃO é gerada pelo firewalld, mas por outra coisa que atrapalha o firewall viaiptables(-nft). Não tenho certeza se isso é docker. (Com a versão mais recente do Arch, ela não faz parte da polÃtica dessa rededrop.)Você pode executar:
ou insira uma regra na cadeia que faria a tabela permitir a passagem do tráfego. Por exemplo:
However, if it isn't just some "leftover" (for which the easiest way to confirm is obviously reboot and see), you'll need to find out what did it and then see what's the best way to "fix" it persistently. To confirm whether it's docker, try disable the docker service and reboot, check
:FORWARDunder*filteriniptables-save, then start the docker service and check again and see if it changes fromACCEPTtoDROP. (Actually maybe you could even just restart the docker service/daemon after runningiptables -P FORWARD ACCEPT. Probably no reboot needed.)