Iptables
我可能破壞了容器埠映射
埠映射不起作用。我不知道這是我做的事情還是什麼。
設置:
Arch Linux with kernel 5.16, Docker 20.10.12,使用nginx-proxy及其 acme 伴侶來獲取其他容器中各種應用程序的證書。一切肯定運作良好。然後突然間我開始
502從 nginx 代理收到錯誤。它無法訪問我指定的埠上的容器化應用程序。經過調查,我發現其他容器只是在主機上打開了他們想要的任何埠。主機甚至認為最初指定的埠是開放的,但事實並非如此。因此,例如,我的一個應用程序只是 nginx 再次為網站提供服務。我已經告訴 Docker8001將主機上的埠映射到80容器中。然後當我lsof用來顯示主機上打開了哪些埠時,我看到 8001 正在使用中。但是後來我無法訪問任何東西,我可以在埠 80 上訪問它(即使 nginx 代理也在使用 80)。nmap確認只有埠 80 在容器上實際打開。我最近做的一件事是更改 iptables 中 FORWARD 鏈中的預設策略。我不明白為什麼更改預設值對於已經在某處路由的數據包很重要。
配置:
nginx-proxy 容器的配置:
[ { "Id": "e24130ccef2bce43a11ebe5686e9a0ca45a7b0b13e32c4649095d11fd0361123", "Created": "2022-03-02T16:16:07.626095681Z", "Path": "/app/docker-entrypoint.sh", "Args": [ "forego", "start", "-r" ], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 2767, "ExitCode": 0, "Error": "", "StartedAt": "2022-03-02T16:16:08.672491906Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:82ea330a72d6f9d955287dc6e2c4c57a1466d480688574a4d0997c981bc495f3", "ResolvConfPath": "/var/lib/docker/containers/e24130ccef2bce43a11ebe5686e9a0ca45a7b0b13e32c4649095d11fd0361123/resolv.conf", "HostnamePath": "/var/lib/docker/containers/e24130ccef2bce43a11ebe5686e9a0ca45a7b0b13e32c4649095d11fd0361123/hostname", "HostsPath": "/var/lib/docker/containers/e24130ccef2bce43a11ebe5686e9a0ca45a7b0b13e32c4649095d11fd0361123/hosts", "LogPath": "/var/lib/docker/containers/e24130ccef2bce43a11ebe5686e9a0ca45a7b0b13e32c4649095d11fd0361123/e24130ccef2bce43a11ebe5686e9a0ca45a7b0b13e32c4649095d11fd0361123-json.log", "Name": "/nginx-proxy", "RestartCount": 0, "Driver": "btrfs", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "", "ExecIDs": null, "HostConfig": { "Binds": [ "/var/run/docker.sock:/tmp/docker.sock:ro" ], "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "ivonet", "PortBindings": { "443/tcp": [ { "HostIp": "", "HostPort": "443" } ], "80/tcp": [ { "HostIp": "", "HostPort": "80" } ] }, "RestartPolicy": { "Name": "always", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "CgroupnsMode": "private", "Dns": null, "DnsOptions": null, "DnsSearch": null, "ExtraHosts": null, "GroupAdd": null, "IpcMode": "private", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": null, "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": null, "DeviceCgroupRules": null, "DeviceRequests": null, "KernelMemory": 0, "KernelMemoryTCP": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": null, "PidsLimit": null, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "Mounts": [ { "Type": "volume", "Source": "nginx-proxy_conf", "Target": "/etc/nginx/conf.d", "VolumeOptions": {} }, { "Type": "volume", "Source": "nginx-proxy_vhost", "Target": "/etc/nginx/vhost.d", "VolumeOptions": {} }, { "Type": "volume", "Source": "nginx-proxy_html", "Target": "/usr/share/nginx/html", "VolumeOptions": {} }, { "Type": "volume", "Source": "nginx-proxy_certs", "Target": "/etc/nginx/certs", "ReadOnly": true, "VolumeOptions": {} } ], "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": null, "Name": "btrfs" }, "Mounts": [ { "Type": "volume", "Name": "nginx-proxy_html", "Source": "/var/lib/docker/volumes/nginx-proxy_html/_data", "Destination": "/usr/share/nginx/html", "Driver": "local", "Mode": "z", "RW": true, "Propagation": "" }, { "Type": "volume", "Name": "nginx-proxy_certs", "Source": "/var/lib/docker/volumes/nginx-proxy_certs/_data", "Destination": "/etc/nginx/certs", "Driver": "local", "Mode": "z", "RW": false, "Propagation": "" }, { "Type": "bind", "Source": "/var/run/docker.sock", "Destination": "/tmp/docker.sock", "Mode": "ro", "RW": false, "Propagation": "rprivate" }, { "Type": "volume", "Name": "nginx-proxy_conf", "Source": "/var/lib/docker/volumes/nginx-proxy_conf/_data", "Destination": "/etc/nginx/conf.d", "Driver": "local", "Mode": "z", "RW": true, "Propagation": "" }, { "Type": "volume", "Name": "nginx-proxy_vhost", "Source": "/var/lib/docker/volumes/nginx-proxy_vhost/_data", "Destination": "/etc/nginx/vhost.d", "Driver": "local", "Mode": "z", "RW": true, "Propagation": "" } ], "Config": { "Hostname": "nginx-proxy", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "ExposedPorts": { "443/tcp": {}, "80/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.21.6", "NJS_VERSION=0.7.2", "PKG_RELEASE=1", "NGINX_PROXY_VERSION=0.10.1-29-gfb8ddfd", "DOCKER_GEN_VERSION=0.8.2", "DOCKER_HOST=unix:///tmp/docker.sock" ], "Cmd": [ "forego", "start", "-r" ], "Image": "nginxproxy/nginx-proxy:alpine", "Volumes": { "/etc/nginx/certs": {}, "/etc/nginx/conf.d": {}, "/etc/nginx/vhost.d": {}, "/tmp/docker.sock": {}, "/usr/share/nginx/html": {} }, "WorkingDir": "/app", "Entrypoint": [ "/app/docker-entrypoint.sh" ], "OnBuild": null, "Labels": { "com.docker.compose.config-hash": "3324b86760e2e436e707f1310aef7724e088d661c1bbeaaf573104e2644a08b0", "com.docker.compose.container-number": "1", "com.docker.compose.depends_on": "", "com.docker.compose.image": "sha256:82ea330a72d6f9d955287dc6e2c4c57a1466d480688574a4d0997c981bc495f3", "com.docker.compose.oneoff": "False", "com.docker.compose.project": "nginx-proxy", "com.docker.compose.project.config_files": "/home/winfield/contain/nginx-proxy/docker-compose.yaml", "com.docker.compose.project.working_dir": "/home/winfield/contain/nginx-proxy", "com.docker.compose.service": "nginx-proxy", "com.docker.compose.version": "2.2.3", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>", "org.opencontainers.image.authors": "Nicolas Duchon <nicolas.duchon@gmail.com> (@buchdag), Jason Wilder", "org.opencontainers.image.created": "2022-02-28T00:02:10.384Z", "org.opencontainers.image.description": "Automated nginx proxy for Docker containers using docker-gen", "org.opencontainers.image.licenses": "MIT", "org.opencontainers.image.revision": "fb8ddfd08c0f6cb53e583ea22ff8be06f69c50dc", "org.opencontainers.image.source": "https://github.com/nginx-proxy/nginx-proxy", "org.opencontainers.image.title": "nginx-proxy", "org.opencontainers.image.url": "https://github.com/nginx-proxy/nginx-proxy", "org.opencontainers.image.version": "0.10.1-29-gfb8ddfd" }, "StopSignal": "SIGQUIT" }, "NetworkSettings": { "Bridge": "", "SandboxID": "cb385fa1d3dab87cccd2d89e70708e27e8bc1815867ae5fbc7e1c2f75000dc25", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": { "443/tcp": [ { "HostIp": "0.0.0.0", "HostPort": "443" }, { "HostIp": "::", "HostPort": "443" } ], "80/tcp": [ { "HostIp": "0.0.0.0", "HostPort": "80" }, { "HostIp": "::", "HostPort": "80" } ] }, "SandboxKey": "/var/run/docker/netns/cb385fa1d3da", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": { "ivonet": { "IPAMConfig": null, "Links": null, "Aliases": [ "nginx-proxy", "nginx-proxy", "e24130ccef2b" ], "NetworkID": "694e4c767b2eeca4c039e518db8294c2cc32a3be38f5dd0ad8779bce4099929c", "EndpointID": "e653f85d0381f1c3bdaca9935eff3e4129d7941cf9c246d80e181e477c0bd79b", "Gateway": "172.18.0.1", "IPAddress": "172.18.0.3", "IPPrefixLen": 24, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:12:00:03", "DriverOpts": null } } } } ]代理 nginx 容器的配置:
[ { "Id": "e0b1be5c35ff60f337087f58819be190dcf495796114b6a2054dd78cf0e4679c", "Created": "2022-03-02T16:16:23.658997558Z", "Path": "/docker-entrypoint.sh", "Args": [ "nginx", "-g", "daemon off;" ], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 3633, "ExitCode": 0, "Error": "", "StartedAt": "2022-03-02T16:16:24.099412527Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:bef258acf10dc257d641c47c3a600c92f87be4b4ce4a5e4752b3eade7533dcd9", "ResolvConfPath": "/var/lib/docker/containers/e0b1be5c35ff60f337087f58819be190dcf495796114b6a2054dd78cf0e4679c/resolv.conf", "HostnamePath": "/var/lib/docker/containers/e0b1be5c35ff60f337087f58819be190dcf495796114b6a2054dd78cf0e4679c/hostname", "HostsPath": "/var/lib/docker/containers/e0b1be5c35ff60f337087f58819be190dcf495796114b6a2054dd78cf0e4679c/hosts", "LogPath": "/var/lib/docker/containers/e0b1be5c35ff60f337087f58819be190dcf495796114b6a2054dd78cf0e4679c/e0b1be5c35ff60f337087f58819be190dcf495796114b6a2054dd78cf0e4679c-json.log", "Name": "/atsuo.tg", "RestartCount": 0, "Driver": "btrfs", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "", "ExecIDs": null, "HostConfig": { "Binds": [ "/home/winfield/contain/atsuo.tg/site:/usr/share/nginx/html:rw" ], "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "ivonet", "PortBindings": { "80/tcp": [ { "HostIp": "", "HostPort": "8001" } ] }, "RestartPolicy": { "Name": "", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "CgroupnsMode": "private", "Dns": null, "DnsOptions": null, "DnsSearch": null, "ExtraHosts": null, "GroupAdd": null, "IpcMode": "private", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": null, "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": null, "DeviceCgroupRules": null, "DeviceRequests": null, "KernelMemory": 0, "KernelMemoryTCP": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": null, "PidsLimit": null, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": null, "Name": "btrfs" }, "Mounts": [ { "Type": "bind", "Source": "/home/winfield/contain/atsuo.tg/site", "Destination": "/usr/share/nginx/html", "Mode": "rw", "RW": true, "Propagation": "rprivate" } ], "Config": { "Hostname": "atsuotg", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "ExposedPorts": { "80/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "VIRTUAL_PORT=8001", "LETSENCRYPT_HOST=atsuo.tg", "VIRTUAL_HOST=atsuo.tg", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.21.6", "NJS_VERSION=0.7.2", "PKG_RELEASE=1" ], "Cmd": [ "nginx", "-g", "daemon off;" ], "Image": "nginx:alpine", "Volumes": { "/usr/share/nginx/html": {} }, "WorkingDir": "", "Entrypoint": [ "/docker-entrypoint.sh" ], "OnBuild": null, "Labels": { "com.docker.compose.config-hash": "1f56d3b21bfd2b60df186db7d9ee19865f777207a470f0f36fd37a27cd65acef", "com.docker.compose.container-number": "1", "com.docker.compose.depends_on": "", "com.docker.compose.oneoff": "False", "com.docker.compose.project": "atsuotg", "com.docker.compose.project.config_files": "/home/winfield/contain/atsuo.tg/docker-compose.yaml", "com.docker.compose.project.working_dir": "/home/winfield/contain/atsuo.tg", "com.docker.compose.service": "atsuo.tg", "com.docker.compose.version": "2.2.3", "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>" }, "StopSignal": "SIGQUIT" }, "NetworkSettings": { "Bridge": "", "SandboxID": "9339a100e64c7de59e3c6b9f00761ce9bc90789b8139daed8781c14bc91258e8", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": { "80/tcp": [ { "HostIp": "0.0.0.0", "HostPort": "8001" }, { "HostIp": "::", "HostPort": "8001" } ] }, "SandboxKey": "/var/run/docker/netns/9339a100e64c", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": { "ivonet": { "IPAMConfig": null, "Links": null, "Aliases": [ "atsuo.tg", "atsuo.tg", "e0b1be5c35ff", "atsuotg" ], "NetworkID": "694e4c767b2eeca4c039e518db8294c2cc32a3be38f5dd0ad8779bce4099929c", "EndpointID": "6ccfdba4120787c39c71505403db08c67f32284637e5bbf2c4abbf0cdb8c15b7", "Gateway": "172.18.0.1", "IPAddress": "172.18.0.4", "IPPrefixLen": 24, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:12:00:04", "DriverOpts": null } } } } ]Docker自定義橋接網路的配置:
[ { "Name": "ivonet", "Id": "694e4c767b2eeca4c039e518db8294c2cc32a3be38f5dd0ad8779bce4099929c", "Created": "2022-03-02T11:15:32.631561185-05:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.18.0.0/24", "Gateway": "172.18.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "adac9051c7813cd9bab6747c798e058983c061b56fbcc9d5cee9d6dacd35461b": { "Name": "nginx-acme", "EndpointID": "15ae704194cf33bad77911800541de67f2ee099229014106af65b09d9bf58fa9", "MacAddress": "02:42:ac:12:00:02", "IPv4Address": "172.18.0.2/24", "IPv6Address": "" }, "e0b1be5c35ff60f337087f58819be190dcf495796114b6a2054dd78cf0e4679c": { "Name": "atsuo.tg", "EndpointID": "6ccfdba4120787c39c71505403db08c67f32284637e5bbf2c4abbf0cdb8c15b7", "MacAddress": "02:42:ac:12:00:04", "IPv4Address": "172.18.0.4/24", "IPv6Address": "" }, "e24130ccef2bce43a11ebe5686e9a0ca45a7b0b13e32c4649095d11fd0361123": { "Name": "nginx-proxy", "EndpointID": "e653f85d0381f1c3bdaca9935eff3e4129d7941cf9c246d80e181e477c0bd79b", "MacAddress": "02:42:ac:12:00:03", "IPv4Address": "172.18.0.3/24", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.enable_icc": "true" }, "Labels": {} } ]
iptables-save主機上的輸出:# Generated by iptables-save v1.8.7 on Wed Mar 2 15:59:49 2022 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o br-694e4c767b2e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-694e4c767b2e -j DOCKER -A FORWARD -i br-694e4c767b2e ! -o br-694e4c767b2e -j ACCEPT -A FORWARD -i br-694e4c767b2e -o br-694e4c767b2e -j ACCEPT -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.18.0.3/32 ! -i br-694e4c767b2e -o br-694e4c767b2e -p tcp -m tcp --dport 443 -j ACCEPT -A DOCKER -d 172.18.0.3/32 ! -i br-694e4c767b2e -o br-694e4c767b2e -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -d 172.18.0.4/32 ! -i br-694e4c767b2e -o br-694e4c767b2e -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i br-694e4c767b2e ! -o br-694e4c767b2e -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o br-694e4c767b2e -j DROP -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Wed Mar 2 15:59:49 2022 # Generated by iptables-save v1.8.7 on Wed Mar 2 15:59:49 2022 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.18.0.0/24 ! -o br-694e4c767b2e -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE -A POSTROUTING -s 172.18.0.3/32 -d 172.18.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A POSTROUTING -s 172.18.0.4/32 -d 172.18.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A DOCKER -i br-694e4c767b2e -j RETURN -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i br-694e4c767b2e -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.3:443 -A DOCKER ! -i br-694e4c767b2e -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.3:80 -A DOCKER ! -i br-694e4c767b2e -p tcp -m tcp --dport 8001 -j DNAT --to-destination 172.18.0.4:80 COMMIT # Completed on Wed Mar 2 15:59:49 2022
lsof -i -P -n | grep LISTEN主機上的輸出:systemd-r 911 systemd-resolve 12u IPv4 22667 0t0 TCP *:5355 (LISTEN) systemd-r 911 systemd-resolve 14u IPv6 22670 0t0 TCP *:5355 (LISTEN) systemd-r 911 systemd-resolve 18u IPv4 22673 0t0 TCP 127.0.0.53:53 (LISTEN) systemd-r 911 systemd-resolve 20u IPv4 22675 0t0 TCP 127.0.0.54:53 (LISTEN) sshd 914 root 3u IPv4 46226 0t0 TCP *:26506 (LISTEN) sshd 914 root 4u IPv6 46228 0t0 TCP *:26506 (LISTEN) mariadbd 964 mysql 19u IPv4 57354 0t0 TCP *:3306 (LISTEN) mariadbd 964 mysql 21u IPv6 57355 0t0 TCP *:3306 (LISTEN) docker-pr 2674 root 4u IPv4 53545 0t0 TCP *:443 (LISTEN) docker-pr 2681 root 4u IPv6 62592 0t0 TCP *:443 (LISTEN) docker-pr 2694 root 4u IPv4 51280 0t0 TCP *:80 (LISTEN) docker-pr 2700 root 4u IPv6 53552 0t0 TCP *:80 (LISTEN) docker-pr 3591 root 4u IPv4 50347 0t0 TCP *:8001 (LISTEN) docker-pr 3597 root 4u IPv6 46444 0t0 TCP *:8001 (LISTEN)
VIRTUAL_PORT設置看起來不正確。您VIRTUAL_PORT=8001在容器正在偵聽埠 80 時使用。因此,您應該使用VIRTUAL_PORT=80.容器之間的連接發生在一個共同的使用者創建的網路(例如
ivonet)和容器埠上。主機上發布的埠是供外部使用者通過連接到轉發到容器埠的主機埠來訪問容器的。