Networking
容器在 Ubuntu 20.04 上無法訪問網際網路
我正在嘗試從 ubuntu 容器更新軟體包;但是,更新失敗,我注意到我無法連接任何地方,能夠查找 dns 名稱。
我正在使用 nicolaka/netshoot 容器來測試網路。
我使用“tcpdump”命令來跟踪與正在發送的消息相關的任何錯誤,並且使用容器中的 ping 進行測試會導致以下錯誤“ICMP 傳輸中超出時間”。
主機介面中的 tcpdump:
16:18:25.257270 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 3, length 64 16:18:25.257314 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92 16:18:26.237575 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 4, length 64 16:18:26.286692 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 4, length 64 16:18:26.286757 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92 16:18:27.261770 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 5, length 64 16:18:27.302193 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 5, length 64 16:18:27.302241 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92 16:18:28.285631 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 6, length 64 16:18:28.329531 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 6, length 64 16:18:28.329596 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92 16:18:29.309767 IP nicolas > 172.217.192.100: ICMP echo request, id 33, seq 7, length 64 16:18:29.353202 IP 172.217.192.100 > nicolas: ICMP echo reply, id 33, seq 7, length 64 16:18:29.353272 IP nicolas > 172.217.192.100: ICMP time exceeded in-transit, length 92此外,我不確定我的 iptables 是否符合 docker 容器獲得網際網路連接的預期。
iptables -nvL:
Chain INPUT (policy ACCEPT 1015 packets, 437K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 266 21762 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 266 21762 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 15 1513 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 251 20249 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1323 packets, 142K bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 251 20249 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 266 21762 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 251 20249 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 266 21762 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0我還注意到 traceroute 通過我的路由器並且能夠獲得 nslookup 結果,是我的 ISP 將我拖到公共汽車下嗎?
我將結束這個問題,因為我發現問題出在我的 ISP 上,通過使用 NAT,並且 docker 也使用 NAT,容器被阻止其網際網路訪問。