Iptables

DOCKER-ISOLATION iptables 規則阻止網橋轉發流量

  • May 29, 2017

我有一台執行 KVM 和 Docker 的伺服器。物理機有IP 192.168.1.13,KVM裡面的機器有192.168.1.40,其埠橋接到物理機上的物理網路介面。問題是外界無法訪問VM,反之亦然。但是主機能夠訪問外部世界和虛擬機。

這是ifconfig主機上的結果:

... (lo interface ignored)

br-5c76c0836bc3 Link encap:Ethernet  HWaddr 02:42:f8:92:8d:06  
         inet addr:172.18.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
         inet6 addr: fe80::42:f8ff:fe92:8d06/64 Scope:Link
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:0 (0.0 B)  TX bytes:496 (496.0 B)

docker0   Link encap:Ethernet  HWaddr 02:42:41:9e:bc:0f  
         inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
         inet6 addr: fe80::42:41ff:fe9e:bc0f/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:3 errors:0 dropped:0 overruns:0 frame:0
         TX packets:72555 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:100 (100.0 B)  TX bytes:8895509 (8.8 MB)

veth312b28e Link encap:Ethernet  HWaddr 56:2c:1c:a1:93:d6  
         inet6 addr: fe80::542c:1cff:fea1:93d6/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:3 errors:0 dropped:0 overruns:0 frame:0
         TX packets:107147 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0 
         RX bytes:142 (142.0 B)  TX bytes:13511363 (13.5 MB)

virbr0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
         inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br0       Link encap:Ethernet  HWaddr 94:**:**:**:**:d5  
         inet addr:192.168.1.13  Bcast:192.168.1.255  Mask:255.255.255.0
         inet6 addr: fe80::96de:80ff:fed9:e8d5/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:8668453 errors:0 dropped:0 overruns:0 frame:0
         TX packets:7807533 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:18268047855 (18.2 GB)  TX bytes:8304004607 (8.3 GB)

enp2s0    Link encap:Ethernet  HWaddr 94:**:**:**:**:d5  
         inet6 addr: fe80::96de:80ff:fed9:e8d5/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:16943241 errors:0 dropped:289 overruns:0 frame:0
         TX packets:10558830 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:19001088198 (19.0 GB)  TX bytes:8478281605 (8.4 GB)

vnet0     Link encap:Ethernet  HWaddr fe:54:00:**:**:0c  
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:809 errors:0 dropped:0 overruns:0 frame:0
         TX packets:133 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:70397 (70.3 KB)  TX bytes:11914 (11.9 KB)

這是brctl show結果:

bridge name     bridge id               STP enabled     interfaces
br-5c76c0836bc3         8000.0242f8928d06       no
br0             8000.94de80d9e8d5       yes             enp2s0
                                                       vnet0
docker0         8000.0242419ebc0f       no              veth312b28e
virbr0          8000.000000000000       yes

我調查了這個問題,發現 iptables 正在丟棄我的數據包。

# iptables -x -v --line-numbers -L FORWARD                                                                               1 ↵
Chain FORWARD (policy DROP 7422 packets, 740173 bytes)
num      pkts      bytes target     prot opt in     out     source               destination         
1           0        0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
2           0        0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere            
3           0        0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere            
4           0        0 REJECT     all  --  any    virbr0  anywhere             anywhere             reject-with icmp-port-unreachable
5           0        0 REJECT     all  --  virbr0 any     anywhere             anywhere             reject-with icmp-port-unreachable
6       31719  2588550 DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere            
7           1       40 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
8           1       44 DOCKER     all  --  any    docker0  anywhere             anywhere            
9           1       44 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere            
10          0        0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere            
11          0        0 ACCEPT     all  --  any    br-5c76c0836bc3  anywhere             anywhere             ctstate RELATED,ESTABLISHED
12          0        0 DOCKER     all  --  any    br-5c76c0836bc3  anywhere             anywhere            
13          0        0 ACCEPT     all  --  br-5c76c0836bc3 !br-5c76c0836bc3  anywhere             anywhere            
14          0        0 ACCEPT     all  --  br-5c76c0836bc3 br-5c76c0836bc3  anywhere             anywhere

當從 VM 向外界 ping 時,計數器和第 6 行policy DROPpkts計數器將隨著每個 ICMP 回顯數據包增加 1。這怎麼可能發生?如何解決?

我發現這不是 的錯DOCKER-ISOLATION,而是由於bridge-nf-call-iptables打開了該選項。打開它會導致 iptables 處理流量,從而丟棄數據包。

引用自:https://serverfault.com/questions/852817

相關問答

Linux

在添加或刪除新設備的情況下,網橋上的網路連接中斷

  • September 19, 2018
檢視問答
Iptables

Firewalld 埠轉發 Proxmox 使埠無法用於其他連接

  • October 20, 2021
檢視問答
Linux-Networking

未從 Docker 容器轉發的 UDP 流量 -> Docker 主機

  • March 20, 2021
檢視問答
Iptables

IP 數據包停留在路由決策中

  • July 5, 2019
檢視問答
Iptables

Docker 破壞 libvirt 橋接網路

  • June 18, 2019
檢視問答
Networking

如何匹配虛擬乙太網鏈路的兩端?

  • March 10, 2018
檢視問答