无法从私有注册表中提取 kubernetes 中的图像

Question

KronwarsCZ

Asked: 2024-07-26 00:42:55 +0800 CST2024-07-26 00:42:55 +0800 CST 2024-07-26 00:42:55 +0800 CST

从特定源 IP 将流量路由到 Docker 容器

772

我目前面临从外部路由流量到docker容器的问题。

这是我的设置：

Rocky Linux 9.4 主机
Docker 网络（网桥），IP 范围为 172.20.0.0/16
3 个 docker 容器（运行 Rapid7 扫描引擎，但这并不重要），每个容器在端口 40814 上都有一个可用服务，但这些服务不会导出，而且每个服务器在该 docker 网络上都有一个静态 IP（172.20.0.2-4）
主机上的firewalld配置：

public (active)
 target: default
 icmp-block-inversion: no
 interfaces: ens192
 sources:
 services: cockpit dhcpv6-client ssh
 ports: 10050/tcp 40814/tcp
 protocols:
 forward: yes
 masquerade: yes
 forward-ports:
   port=40814:proto=tcp:toport=40814:toaddr=172.20.0.2
 source-ports:
 icmp-blocks:
 rich rules:

我想要实现的是，基于给定的源 IP（我网络上的其他服务器），我想将流量路由到 3 个 docker 容器中的一个。另一个服务器只知道我的 rocky linux 服务器的 IP 和端口 40814，然后 rocky linux 服务器决定将流量路由到哪个 docker。这不是负载平衡的尝试。

我能够通过telnet 172.20.0.2 40814（从主机/rocky linux 服务器）检查 docker 容器是否正常工作，然后在 docker 容器日志中显示连接尝试，但是当我尝试telnet 10.0.20.123 40814从网络上的其他服务器执行（rocky linux 服务器的 ip）时，我只得到Trying 10.0.20.123...。尝试该 IP 上的任何其他端口都会立即以结尾Connection refused。日志也没有报告连接尝试。

我尝试过不同的防火墙设置，例如：

One:
firewall-cmd --add-rich-rule='rule 
family="ipv4" \
source address="10.0.20.120/32" \
port protocol="tcp" port="40814" accept'
firewall-cmd --add-forward-port=port=40814:proto=tcp:toport=40814:toaddr=172.20.0.2
firewall-cmd --zone=public --add-forward-port=port=41814:proto=tcp:toaddr=172.20.0.2:toport=40814 --permanent 

Two:
firewall-cmd --add-rich-rule='rule 
family="ipv4" \
source address="10.0.20.120/32" \
forward-port protocol="tcp" port="41814" toport=40814 toaddr=172.20.0.2'

SELinux 正在强制执行，但我不确定这是否有区别。

你能帮忙吗？非常感谢！

编辑：添加更多信息

网络相关的docker信息：

"NetworkSettings": {
            "Bridge": "",
            "SandboxID": "06e60f163d002b1ef377542172f4007dcfa33749bf104315047921ac8af0d8c0",
            "SandboxKey": "/var/run/docker/netns/06e60f163d00",
            "Ports": {},
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "se-net": {
                    "IPAMConfig": {
                        "IPv4Address": "172.20.0.2"
                    },
                    "Links": null,
                    "Aliases": [
                        "nse-1",
                        "nse-1"
                    ],
                    "MacAddress": "02:42:ac:14:00:02",
                    "DriverOpts": null,
                    "NetworkID": "ae57f90864d9171ee342803f1ce2d336db530482f000e8a7c2c4ef44fb9f09b9",
                    "EndpointID": "9f12ea7fca0ce272d3cfcd4797a4d68d88c9542d2b2ce7616581a0f2aff32f90",
                    "Gateway": "172.20.0.1",
                    "IPAddress": "172.20.0.2",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "DNSNames": [
                        "nse-1",
                        "7ee892f16d9f"
                    ]
                }
            }
        }

iptables-保存

# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jul 26 10:56:54 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [822:49320]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-ae57f90864d9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-ae57f90864d9 -j DOCKER
-A FORWARD -i br-ae57f90864d9 ! -o br-ae57f90864d9 -j ACCEPT
-A FORWARD -i br-ae57f90864d9 -o br-ae57f90864d9 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-ae57f90864d9 ! -o br-ae57f90864d9 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-ae57f90864d9 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Jul 26 10:56:54 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jul 26 10:56:54 2024
*nat
:PREROUTING ACCEPT [434998:26094074]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [62817:4380590]
:POSTROUTING ACCEPT [62817:4380590]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.20.0.0/16 ! -o br-ae57f90864d9 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i br-ae57f90864d9 -j RETURN
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Jul 26 10:56:54 2024

nft 列表规则集

# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
    chain DOCKER {
        iifname "br-ae57f90864d9" counter packets 0 bytes 0 return
        iifname "docker0" counter packets 0 bytes 0 return
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        ip saddr 172.20.0.0/16 oifname != "br-ae57f90864d9" counter packets 15 bytes 900 masquerade
        ip saddr 172.17.0.0/16 oifname != "docker0" counter packets 0 bytes 0 masquerade
    }

    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        fib daddr type local counter packets 433464 bytes 26008040 jump DOCKER
    }

    chain OUTPUT {
        type nat hook output priority dstnat; policy accept;
        ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
    }
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
    chain DOCKER {
    }

    chain DOCKER-ISOLATION-STAGE-1 {
        iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 15 bytes 900 jump DOCKER-ISOLATION-STAGE-2
        iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
        counter packets 20043 bytes 21105956 return
    }

    chain DOCKER-ISOLATION-STAGE-2 {
        oifname "br-ae57f90864d9" counter packets 0 bytes 0 drop
        oifname "docker0" counter packets 0 bytes 0 drop
        counter packets 6609 bytes 387973 return
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
        counter packets 821 bytes 49260 jump DOCKER-USER
        counter packets 821 bytes 49260 jump DOCKER-ISOLATION-STAGE-1
        oifname "br-ae57f90864d9" ct state related,established counter packets 0 bytes 0 accept
        oifname "br-ae57f90864d9" counter packets 0 bytes 0 jump DOCKER
        iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 15 bytes 900 accept
        iifname "br-ae57f90864d9" oifname "br-ae57f90864d9" counter packets 0 bytes 0 accept
        oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
        oifname "docker0" counter packets 870 bytes 52200 jump DOCKER
        iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
        iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
    }

    chain DOCKER-USER {
        counter packets 20043 bytes 21105956 return
    }
}
table ip6 nat {
    chain DOCKER {
    }
}
table ip6 filter {
    chain DOCKER {
    }

    chain DOCKER-ISOLATION-STAGE-1 {
        iifname "br-ae57f90864d9" oifname != "br-ae57f90864d9" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
        iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
        counter packets 0 bytes 0 return
    }

    chain DOCKER-ISOLATION-STAGE-2 {
        oifname "br-ae57f90864d9" counter packets 0 bytes 0 drop
        oifname "docker0" counter packets 0 bytes 0 drop
        counter packets 0 bytes 0 return
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
        counter packets 0 bytes 0 jump DOCKER-USER
    }

    chain DOCKER-USER {
        counter packets 0 bytes 0 return
    }
}
table inet firewalld {
    chain mangle_PREROUTING {
        type filter hook prerouting priority mangle + 10; policy accept;
        jump mangle_PREROUTING_ZONES
    }

    chain mangle_PREROUTING_POLICIES_pre {
        jump mangle_PRE_policy_allow-host-ipv6
    }

    chain mangle_PREROUTING_ZONES {
        iifname "br-ae57f90864d9" goto mangle_PRE_docker
        iifname "docker0" goto mangle_PRE_docker
        iifname "ens192" goto mangle_PRE_public
        goto mangle_PRE_public
    }

    chain mangle_PREROUTING_POLICIES_post {
    }

    chain nat_PREROUTING {
        type nat hook prerouting priority dstnat + 10; policy accept;
        jump nat_PREROUTING_ZONES
    }

    chain nat_PREROUTING_POLICIES_pre {
        jump nat_PRE_policy_allow-host-ipv6
    }

    chain nat_PREROUTING_ZONES {
        iifname "br-ae57f90864d9" goto nat_PRE_docker
        iifname "docker0" goto nat_PRE_docker
        iifname "ens192" goto nat_PRE_public
        goto nat_PRE_public
    }

    chain nat_PREROUTING_POLICIES_post {
    }

    chain nat_POSTROUTING {
        type nat hook postrouting priority srcnat + 10; policy accept;
        jump nat_POSTROUTING_ZONES
    }

    chain nat_POSTROUTING_POLICIES_pre {
        oifname { "docker0", "br-ae57f90864d9" } jump nat_POST_policy_docker-forwarding
    }

    chain nat_POSTROUTING_ZONES {
        oifname "br-ae57f90864d9" goto nat_POST_docker
        oifname "docker0" goto nat_POST_docker
        oifname "ens192" goto nat_POST_public
        goto nat_POST_public
    }

    chain nat_POSTROUTING_POLICIES_post {
    }

    chain nat_OUTPUT {
        type nat hook output priority dstnat + 10; policy accept;
        jump nat_OUTPUT_POLICIES_pre
        jump nat_OUTPUT_POLICIES_post
    }

    chain nat_OUTPUT_POLICIES_pre {
    }

    chain nat_OUTPUT_POLICIES_post {
    }

    chain filter_PREROUTING {
        type filter hook prerouting priority filter + 10; policy accept;
        icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
        meta nfproto ipv6 fib saddr . mark . iif oif missing drop
    }

    chain filter_INPUT {
        type filter hook input priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ct state invalid drop
        jump filter_INPUT_ZONES
        reject with icmpx admin-prohibited
    }

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ct state invalid drop
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_FORWARD_ZONES
        reject with icmpx admin-prohibited
    }

    chain filter_OUTPUT {
        type filter hook output priority filter + 10; policy accept;
        ct state { established, related } accept
        oifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_OUTPUT_POLICIES_pre
        jump filter_OUTPUT_POLICIES_post
    }

    chain filter_INPUT_POLICIES_pre {
        jump filter_IN_policy_allow-host-ipv6
    }

    chain filter_INPUT_ZONES {
        iifname "br-ae57f90864d9" goto filter_IN_docker
        iifname "docker0" goto filter_IN_docker
        iifname "ens192" goto filter_IN_public
        goto filter_IN_public
    }

    chain filter_INPUT_POLICIES_post {
    }

    chain filter_FORWARD_POLICIES_pre {
        oifname { "docker0", "br-ae57f90864d9" } jump filter_FWD_policy_docker-forwarding
    }

    chain filter_FORWARD_ZONES {
        iifname "br-ae57f90864d9" goto filter_FWD_docker
        iifname "docker0" goto filter_FWD_docker
        iifname "ens192" goto filter_FWD_public
        goto filter_FWD_public
    }

    chain filter_FORWARD_POLICIES_post {
    }

    chain filter_OUTPUT_POLICIES_pre {
    }

    chain filter_OUTPUT_POLICIES_post {
    }

    chain filter_IN_public {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_public_pre
        jump filter_IN_public_log
        jump filter_IN_public_deny
        jump filter_IN_public_allow
        jump filter_IN_public_post
        jump filter_INPUT_POLICIES_post
        meta l4proto { icmp, ipv6-icmp } accept
        reject with icmpx admin-prohibited
    }

    chain filter_IN_public_pre {
    }

    chain filter_IN_public_log {
    }

    chain filter_IN_public_deny {
    }

    chain filter_IN_public_allow {
        tcp dport 22 accept
        ip6 daddr fe80::/64 udp dport 546 accept
        tcp dport 9090 accept
        tcp dport 10050 accept
        tcp dport 40814 accept
    }

    chain filter_IN_public_post {
    }

    chain nat_POST_public {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_public_pre
        jump nat_POST_public_log
        jump nat_POST_public_deny
        jump nat_POST_public_allow
        jump nat_POST_public_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_public_pre {
    }

    chain nat_POST_public_log {
    }

    chain nat_POST_public_deny {
    }

    chain nat_POST_public_allow {
        meta nfproto ipv4 oifname != "lo" masquerade
    }

    chain nat_POST_public_post {
    }

    chain filter_FWD_public {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_public_pre
        jump filter_FWD_public_log
        jump filter_FWD_public_deny
        jump filter_FWD_public_allow
        jump filter_FWD_public_post
        jump filter_FORWARD_POLICIES_post
        reject with icmpx admin-prohibited
    }

    chain filter_FWD_public_pre {
    }

    chain filter_FWD_public_log {
    }

    chain filter_FWD_public_deny {
    }

    chain filter_FWD_public_allow {
        oifname "ens192" accept
    }

    chain filter_FWD_public_post {
    }

    chain nat_PRE_public {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_public_pre
        jump nat_PRE_public_log
        jump nat_PRE_public_deny
        jump nat_PRE_public_allow
        jump nat_PRE_public_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_public_pre {
    }

    chain nat_PRE_public_log {
    }

    chain nat_PRE_public_deny {
    }

    chain nat_PRE_public_allow {
        ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.17.0.2:40814
        ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.20.0.2:40814
    }

    chain nat_PRE_public_post {
    }

    chain mangle_PRE_public {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_public_pre
        jump mangle_PRE_public_log
        jump mangle_PRE_public_deny
        jump mangle_PRE_public_allow
        jump mangle_PRE_public_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_public_pre {
    }

    chain mangle_PRE_public_log {
    }

    chain mangle_PRE_public_deny {
    }

    chain mangle_PRE_public_allow {
    }

    chain mangle_PRE_public_post {
    }

    chain filter_IN_policy_allow-host-ipv6 {
        jump filter_IN_policy_allow-host-ipv6_pre
        jump filter_IN_policy_allow-host-ipv6_log
        jump filter_IN_policy_allow-host-ipv6_deny
        jump filter_IN_policy_allow-host-ipv6_allow
        jump filter_IN_policy_allow-host-ipv6_post
    }

    chain filter_IN_policy_allow-host-ipv6_pre {
    }

    chain filter_IN_policy_allow-host-ipv6_log {
    }

    chain filter_IN_policy_allow-host-ipv6_deny {
    }

    chain filter_IN_policy_allow-host-ipv6_allow {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
        icmpv6 type nd-redirect accept
    }

    chain filter_IN_policy_allow-host-ipv6_post {
    }

    chain nat_PRE_policy_allow-host-ipv6 {
        jump nat_PRE_policy_allow-host-ipv6_pre
        jump nat_PRE_policy_allow-host-ipv6_log
        jump nat_PRE_policy_allow-host-ipv6_deny
        jump nat_PRE_policy_allow-host-ipv6_allow
        jump nat_PRE_policy_allow-host-ipv6_post
    }

    chain nat_PRE_policy_allow-host-ipv6_pre {
    }

    chain nat_PRE_policy_allow-host-ipv6_log {
    }

    chain nat_PRE_policy_allow-host-ipv6_deny {
    }

    chain nat_PRE_policy_allow-host-ipv6_allow {
    }

    chain nat_PRE_policy_allow-host-ipv6_post {
    }

    chain mangle_PRE_policy_allow-host-ipv6 {
        jump mangle_PRE_policy_allow-host-ipv6_pre
        jump mangle_PRE_policy_allow-host-ipv6_log
        jump mangle_PRE_policy_allow-host-ipv6_deny
        jump mangle_PRE_policy_allow-host-ipv6_allow
        jump mangle_PRE_policy_allow-host-ipv6_post
    }

    chain mangle_PRE_policy_allow-host-ipv6_pre {
    }

    chain mangle_PRE_policy_allow-host-ipv6_log {
    }

    chain mangle_PRE_policy_allow-host-ipv6_deny {
    }

    chain mangle_PRE_policy_allow-host-ipv6_allow {
    }

    chain mangle_PRE_policy_allow-host-ipv6_post {
    }

    chain filter_IN_docker {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_docker_pre
        jump filter_IN_docker_log
        jump filter_IN_docker_deny
        jump filter_IN_docker_allow
        jump filter_IN_docker_post
        jump filter_INPUT_POLICIES_post
        accept
    }

    chain filter_IN_docker_pre {
    }

    chain filter_IN_docker_log {
    }

    chain filter_IN_docker_deny {
    }

    chain filter_IN_docker_allow {
    }

    chain filter_IN_docker_post {
    }

    chain nat_POST_docker {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_docker_pre
        jump nat_POST_docker_log
        jump nat_POST_docker_deny
        jump nat_POST_docker_allow
        jump nat_POST_docker_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_docker_pre {
    }

    chain nat_POST_docker_log {
    }

    chain nat_POST_docker_deny {
    }

    chain nat_POST_docker_allow {
        meta nfproto ipv4 oifname != "lo" masquerade
    }

    chain nat_POST_docker_post {
    }

    chain filter_FWD_docker {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_docker_pre
        jump filter_FWD_docker_log
        jump filter_FWD_docker_deny
        jump filter_FWD_docker_allow
        jump filter_FWD_docker_post
        jump filter_FORWARD_POLICIES_post
        accept
    }

    chain filter_FWD_docker_pre {
    }

    chain filter_FWD_docker_log {
    }

    chain filter_FWD_docker_deny {
    }

    chain filter_FWD_docker_allow {
        oifname "docker0" accept
        oifname "br-ae57f90864d9" accept
    }

    chain filter_FWD_docker_post {
    }

    chain nat_PRE_docker {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_docker_pre
        jump nat_PRE_docker_log
        jump nat_PRE_docker_deny
        jump nat_PRE_docker_allow
        jump nat_PRE_docker_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_docker_pre {
    }

    chain nat_PRE_docker_log {
    }

    chain nat_PRE_docker_deny {
    }

    chain nat_PRE_docker_allow {
        ip saddr 10.0.20.120 tcp dport 40814 dnat ip to 172.20.0.2:40814
    }

    chain nat_PRE_docker_post {
    }

    chain mangle_PRE_docker {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_docker_pre
        jump mangle_PRE_docker_log
        jump mangle_PRE_docker_deny
        jump mangle_PRE_docker_allow
        jump mangle_PRE_docker_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_docker_pre {
    }

    chain mangle_PRE_docker_log {
    }

    chain mangle_PRE_docker_deny {
    }

    chain mangle_PRE_docker_allow {
    }

    chain mangle_PRE_docker_post {
    }

    chain filter_FWD_policy_docker-forwarding {
        jump filter_FWD_policy_docker-forwarding_pre
        jump filter_FWD_policy_docker-forwarding_log
        jump filter_FWD_policy_docker-forwarding_deny
        jump filter_FWD_policy_docker-forwarding_allow
        jump filter_FWD_policy_docker-forwarding_post
        accept
    }

    chain filter_FWD_policy_docker-forwarding_pre {
    }

    chain filter_FWD_policy_docker-forwarding_log {
    }

    chain filter_FWD_policy_docker-forwarding_deny {
    }

    chain filter_FWD_policy_docker-forwarding_allow {
    }

    chain filter_FWD_policy_docker-forwarding_post {
    }

    chain nat_POST_policy_docker-forwarding {
        jump nat_POST_policy_docker-forwarding_pre
        jump nat_POST_policy_docker-forwarding_log
        jump nat_POST_policy_docker-forwarding_deny
        jump nat_POST_policy_docker-forwarding_allow
        jump nat_POST_policy_docker-forwarding_post
    }

    chain nat_POST_policy_docker-forwarding_pre {
    }

    chain nat_POST_policy_docker-forwarding_log {
    }

    chain nat_POST_policy_docker-forwarding_deny {
    }

    chain nat_POST_policy_docker-forwarding_allow {
    }

    chain nat_POST_policy_docker-forwarding_post {
    }
}

防火墙命令--列出所有区域

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

docker (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: br-ae57f90864d9 docker0
  sources:
  services:
  ports:
  protocols:
  forward: yes
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="10.0.20.120/32" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.20.0.2"

drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  forward: yes
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

nm-shared
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcp dns ssh
  ports:
  protocols: icmp ipv6-icmp
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule priority="32767" reject

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 10050/tcp 40814/tcp
  protocols:
  forward: yes
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="10.0.20.120" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.20.0.2"
    rule family="ipv4" source address="10.0.20.120" forward-port port="40814" protocol="tcp" to-port="40814" to-addr="172.17.0.2"

trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

1 个回答

Voted

Tom Yan · Answer 1 · 2024-07-26T20:37:50+08:00

您需要的命令是：

firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.20.120 forward-port protocol=tcp port=40814 to-port=40814 to-addr=172.17.0.2

（请注意，如果主机预计会将某些流量路由到其他主机/容器，即当（原始）目标 IP 不是其自己的 IP 之一时，此规则可能会产生意外的“副作用”；换句话说，当目标 NAT /forward-port可能不会生效时。您可能想要例如添加destination address=10.0.20.123到规则中以限制规则的“范围”。）

但是，问题是您有一个filter表，该表包含一个hook forward策略为的链drop。该表不是由防火墙生成的，而是由其他通过干扰防火墙的东西生成的iptables(-nft)。我不完全确定那是不是 docker。（对于 Arch 上的最新版本，它不会制定该链的策略drop。）

您可以运行：

iptables -P FORWARD ACCEPT

或者在链中插入一条规则，使表允许流量通过。例如：

iptables -I FORWARD -s 10.0.20.120 -d 172.17.0.2 -p tcp --dport 40814 -j ACCEPT

However, if it isn't just some "leftover" (for which the easiest way to confirm is obviously reboot and see), you'll need to find out what did it and then see what's the best way to "fix" it persistently. To confirm whether it's docker, try disable the docker service and reboot, check :FORWARD under *filter in iptables-save, then start the docker service and check again and see if it changes from ACCEPT to DROP. (Actually maybe you could even just restart the docker service/daemon after running iptables -P FORWARD ACCEPT. Probably no reboot needed.)

从特定源 IP 将流量路由到 Docker 容器

模块 i915 可能缺少固件 /lib/firmware/i915/*

无法获取 jessie backports 存储库

如何将 GPG 私钥和公钥导出到文件

我们如何运行存储在变量中的命令？

如何配置 systemd-resolved 和 systemd-networkd 以使用本地 DNS 服务器来解析本地域和远程 DNS 服务器来解析远程域？

dist-upgrade 后 Kali Linux 中的 apt-get update 错误 [重复]

如何从 systemctl 服务日志中查看最新的 x 行

Nano - 跳转到文件末尾

grub 错误：你需要先加载内核

如何下载软件包而不是使用 apt-get 命令安装它？

从特定源 IP 将流量路由到 Docker 容器

1 个回答

相关问题